One of the things I most enjoy when the kids are at camp is being able to follow my natural rhythms. During the school year things are pretty structured. Get up at 5, do my meditation, get the kids ready for school, do some yoga/exercise, clean up, and get to work. When I’m on the road things are built around the business day, when I’m running around from meeting to meeting.

But during the summer, when I’m not traveling I can be a little less structured and it’s really nice. I still get up pretty early, but if I want to watch an episode of Game of Thrones at 10am I will. If I want to do some journaling at 3pm, I will. If I feel like starting the Incite at 9pm I’ll do that too. I tend to be pretty productive first thing in the morning, and then later in the day. Not sure why but that’s my rhythm.

I have always tried to schedule my work calls in the early afternoon when possible, when I have a bit less energy, and needing to be on during the call carries me through. I do a lot of my writing pretty late at night. At least I have been lately. That’s when inspiration hits, and I know better than to mess with things when it’s flowing.

Of course when the kids come home rhythms be damned. Seems the school board doesn’t give a rat’s ass about my rhythms. Nor does the dance company or the lax team. The kids need to be there when they need to be there. So I adapt and I’m probably not as efficient as I could be. But it’s okay. I can still nod off at 11am or catch a matinee at noon if I feel like it. Just don’t tell The Boss, Rich, or Adrian – they think I’m always diligently working.

That can be our little secret…


Photo credit: “Mystic Rhythms signage” originally uploaded by Julie Dennehy

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

The Security Pro’s Guide to Cloud File Storage and Collaboration

Leveraging Threat Intelligence in Incident Response/Management

Endpoint Security Management Buyer’s Guide (Update)

Trends in Data Centric Security

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Incite 4 U

  1. No executive access, what? Something doesn’t compute about this Ponemon survey claiming 31% of organizations surveyed never speak to their senior team about security? And 40% in the UK? I don’t believe it. Maybe those respondents had one pint too many. Any regulated organization needs to communicate about security. Any company looking to acquire cyber liability insurance needs to communicate about security. Any friggin’ company with anything to steal needs to communicate about security. Now, is that communication effective? Probably not. Should it happen more often? Absolutely. But I don’t buy not at all – that sounds like hogwash. But it makes for good click-thru numbers, and I shouldn’t forget vendors need to feed the pageview beast. – MR
  2. And they’re off! Starbucks is launching a general purpose payment app, so you can not only buy coffee, but use the app for other retailers as well. Sure, it seems odd to use a Starbucks app to buy something like airline tickets, but the race to own the customer shopping experience is heating up! Currently it’s Visa by a nose – they both continue to push support for their mobile wallet and aggressively engage merchants to support single-button checkout in Europe. Just to pat myself on the back a bit, a year ago I said that Visa was gunning to be an Identity Provider, and that is essentially what this is. Merchant app? Merchant wallet? Payment provider wallet? Don’t like any of those options? How about one embedded into your phone? For years telcos have been working with phone manufacturers to embed a ‘secure element’ to manage secure communications, VPN, and secure payment linked directly to your cell account. Fortunately that cat herding exercise is going nowhere fast – would you choose AT&T as your bank? What could go wrong with that? And don’t forget about new payment approaches either. Host Card Emulation (e.g., a virtual secure element) running over Bluetooth Low Energy looks viable right now. You wouldn’t want to call Apple a dark horse in this race, but I’m betting this is the way they will go, and lots of firms will follow in their wake. – AL
  3. CISO three envelopes: I remember how hard it was for my parents to explain what I did. They probably still have a problem saying I drink coffee, fly around, and write some stuff sometimes. And make a living. If you’re a CISO and your family and/or friends don’t get it, have them read this NY Times article on how hard the CISO job is. Of course it’s all stuff we know, but this is mass media. So you’ll see the platitudes and obvious stuff, and some gratuitous Target and bad NSS testing results mentions. And even the famous “three envelopes” joke explaining the futility of being a CISO. Don’t buy into it. With difficulty comes opportunity. If it was easy it wouldn’t be valuable. If you want easy, do something like trying to break into the music business. LOL! And who says security folks have a high opinion of themselves? – MR
  4. Hype machine: Our friend Rob Westervelt over at CRN reports Security Vendor Hype Fuels Lackluster Technology Investments, which – with delicious irony – is from the place vendors go to manufacture their hype: a Ponemon study. I’m not critiquing this study – just pointing out that Occam’s Razor applies here: Most security startups are bad investments. Besides bad management, bad execution, bad timing, etc., security is an especially hard market to compete in. There is no security “Yo!” app. Threats may be advanced, and persistent, and attacks change all the time, so it’s a constant cat and mouse game. Viruses to trojans to SQL injection to phishing to XSS to CSRF to malware … you know the story. How do you build a security business when your key feature is out of fashion in two years? Inability to create a sustainable business based on security technology du jour is the reason for lackluster investment. No need to create hype about hype – it is clear that there are plenty of good ideas backed by big VCs, but only a limited window of time to execute (advertise?) before the investment goes sour. – AL
  5. Malware falling off the truck: If you’re a nation state and you have some unique malware, and you have used it a bunch of times and it can be attributed back to you (via increasingly sophisticated adversary analysis), what now? Put it on the shelf? But it still works against most of the unsophisticated targets out there. Why not let it fall off the truck, and have the commercial crime sector use it, improve it, and take attribution right off the table? Seems like a good and plausible idea to me. Evidently to the Russians as well, who let the Gyges malware fall into the hands of cybercriminals. Hiding in plain sight – you have got to love that. – MR