I’ve always been pretty competitive. For instance, back in high school my friends and I would make boasts about how we’d have more of this or that, and steal the other’s wife, etc. Yes, it was silly high school ego run rampant, but I thought life was a zero sum game back then. Win/win was not in my vocabulary. I win, you lose, that’s it.

Now that is some fireworks... I carried that competitive spirit into the first 15 years or so of my working career. At META, it was about my service selling more than yours. About me being able to stake out overlapping coverage areas and winning the research battle. In the start-up world, it was about raising the money and beating the other companies with similar stories & models.

Then in a variety of vendor gigs, each in very competitive market spaces, it was about competing and winning and having a better story and giving the sales team better tools to win more deals. Nothing was ever good enough – not at work, not at home, and not in my own head.

Yeah, I was frackin’ miserable. And made most of the people around me miserable as well.

When I was told my services were no longer needed at CipherTrust, I saw it as an opportunity to go in a different direction. To focus on helping folks do better, as opposed to winning whatever ‘needed’ to be won. It wasn’t exactly a conscious decision, but I knew I needed a change in focus and attitude. For the most part, it worked. I was much happier, I was doing better, and I was less grumpy.

Then I stepped back into corporate life, but to be honest, my heart wasn’t in it. I didn’t care if we lost a specific deal because we should be able to get into a lot of deals and statistically we’d be OK. Of course, I had to mask that indifference, but ultimately for a lot of reasons it didn’t make sense for me to continue in that role. So I left and got back to where I could help folks, and not worry about winning.

But you can’t entirely escape competition. Now I play softball on Sundays with a bunch of old guys like me. But some of them still have that competitive fire burning and to be honest it gets annoying. When someone boots a ground ball or lines out with runners on, these guys get all pissed off. We lost a one-run game last Sunday, after coming back from 3 runs down in the last inning. I was happy with that effort – we didn’t give up. Others were pissed.

Personally, I play softball because it’s fun. I get outside, I run around, I get my couple of at-bats and make a few plays in the field. But when guys get all uppity about not winning or someone making a mistake, it’s demotivating to me. I’ve got to find a way to tune out the negativity and still have fun playing. Or I’ll need to stop, which is the wrong answer. But I am working too hard to be positive (which is not my default mode) to hang around with negatives.

Yes, I like to win. But I don’t need to win anymore. And I’m a lot happier now because of it. But that’s just me.

– Mike.

Photo credits: “win win” uploaded to Flickr by TheTruthAbout…

Recent Securosis Posts

Incite 4 U

  1. Different NAC strokes for different folks – A few weeks ago, Joel Snyder talked about what went wrong with NAC. It was a good analysis of the market issues. Joel’s conclusion is that there isn’t really a standard set of NAC features, but rather a number of different breeds. Which basically means there is no market – not a consistent one, anyway. No wonder the category has struggled – nobody can agree on what problem the technology is supposed to solve. Joel also points out some of the political issues of deploying a solution that spans network, endpoint, and security teams. This week, NetworkWorld published the Joel’s review. He does likes some of the products (those based on 802.1X like Avenda, Enterasys, and Juniper), and has issues with some of the others (ForeScout and TrustWave). But ultimately the review highlights the reality of the market, which is that there isn’t one. – MR
  2. DRM dreams – Designing DRM systems in 1996, I had big hopes that digital lockers would be a popular choice to secure content for people to share on the Internet. I thought everyone from banking systems to media distribution could benefit. By 1998 that dream faded as nobody was really interested in secure content storage or delivery. But it turns out someone has the same dreams I did: hackers embrace DRM as a way to hide pirated content as reported on Yahoo! News. Basically pirated video is wrapped up in a protective blanket of encryption, which can then be moved and stored freely, without detection by content analysis tools. Porn, pirated movies, and whatever else, can be distributed without fear of being inspected and discovered. And this model works really freaking’ well when the buyer and seller want to keep their activity a secret. Hollywood may have complained bitterly about pirated DVDs, but this particular delivery model will be near impossible to stop. No, Cyber-nanny will not cut it. There are only a handful of ways to catch and prosecute this type of crime. Law enforcement will have to figure out how to police the exchange of decryption keys for money. – AL
  3. Disclosure is religion – I’ve been known to write and talk about the disclosure debate, but I’m starting to wonder if it’s worth the effort. Disclosure has clearly become religion, with everyone believing what they want, nothing more than anecdotal evidence to support anyone’s position, and enough logical fallacies on all sides to fill all the empty heads at a Crossing Over with John Edward show. Tyler Reguly wades in with an informed and reasonable post on the relationship between Full Disclosure and Responsible Disclosure that’s worth a read, but I don’t expect it to change any minds. I worry that even if we ever do get the kinds of studies and data we need to make informed disclosure decisions, they will be ignored faster than evolution in a Texas school book (how’s that for troll bait?!) – RM
  4. Cyber-insurance a messy business – When there are no precedents, things inevitably get messy. As Ed points out on the SecurityCurve blog, an insurer called Colorado Casualty is basically making a pre-emptive strike against the University of Utah to protect against any potential claims from a set of lost tapes (that triggered a $3.3MM disclosure). Is Colorado Casualty wrong? Without precedent, there is no way to know. It seems like your typical insurance company crap of not wanting to pay even when they should, but who knows? And it will take a few years and lots of legal fees to figure out what is right and wrong. Until then, understand that cyber-insurance may not insure you from much of anything. – MR
  5. iPhone encryption trick – If you have an iPhone 3GS or later there is hardware encryption on the device to protect your data. But Apple screwed the pooch on the implementation which basically made the encryption worthless. But the good news is they seem to have fixed this in the just-released iOS 4 software, although you need to take a couple extra steps to make it work. The new version uses your passcode to protect the encryption keys, assuming they got it right this time. If you buy a new iPhone 4 it is enabled by default if you use a passcode, but as described in this support note, you need to take a couple extra steps to enable the improved encryption if you upgraded your device. I hope this works… – RM
  6. Einstein not so smart? – I guess Stiennon isn’t happy with his infamy in declaring IDS dead 10 or so years ago. So now he’s getting on his soapbox and saying DHS’s Einstein project (basically a mondo-IDS) is all wrong. Of course, he doesn’t offer any solutions in the piece or directions on how to make it better. The issues he points out (information overload, lack of staffing) are real. But you need to monitor to know what is going on. Period. The real gap thus far is how to deal with the amount of data – and more importantly how to fix the issues you find. Calling Einstein stupid doesn’t solve the problem. Richard is a smart guy and it would be great to see less rhetoric and more constructive ideas. Though I’m sure all is divulged in Richard’s book. 😉 – MR
  7. Cloudy value, crystal clear motivation – Mike Vizard has been running a series of posts on application testing, with liberal quotes from Aparna Sharma of Infosys Technologies. The entire mindset – premises and approach – is totally backwards. First, having application developers test their own code is not “a case of the fox guarding the hen house”. Developers are not the ones hacking their own code, so this is a B.S. argument. Second, it’s not a huge burden to run automated tests. Many developers link test cases into nightly builds for component and module sanity tests for both security and quality. Test cases requiring complete builds are usually run by QA. The pain in the ass is figuring out if the results are useful or just more false positive garbage. Third, automated application testing has its place, but it’s not a substitute for manual testing. In fact you do both, leveraging the strengths of each where needed – both for coverage and to reduce costs. Finally, the bias towards manual testing is because it is effective: the preference is to automate when possible. Reviewing code is hard work, and very few people are qualified to do it or like to do it. Remember that development teams create libraries of code, trusted both to function and to be secure, to minimize the need to do automated or manual tests. It’s not like you need the limitless resources of the cloud to perform automated testing – ‘the cloud’ is just a convenient delivery model. – AL
  8. The benefit of copying – So how do you get security kung fu and/or improve your skills? Take some advice from the folks at 37Signals and copy someone you respect. 37S is talking about design, but the same method can apply to security. With the advent of lots of video content available nowadays, you can see someone else do something cool, mostly for free. I guess you could go to a hands-on education class, but I’ve found seeing someone else do something and then screwing it up myself is the best way for me to learn. Check out Mubix’s Practical Exploitation and The Academy Pro (mostly vendor stuff); and we know of a few other folks planning detailed video courses, so we expect the amount of content available to mushroom over the next 18 months. – MR