A few weeks ago I was complaining about travel and not being home – mostly because I’m on family vacations and doing work I enjoy. I acknowledged these are first world problems. I didn’t appreciate what that means. You lose touch with a lot of folks’ reality when you are in the maelstrom of your own crap. I’m too busy. The kids have too many activities. There are too many demands on my time.


That all stopped over the weekend. On the recommendation of a friend, I bought and watched Living on One Dollar. It’s a documentary about 4 US guys who went down to a small town in Guatemala and lived on one dollar a day. That was about the median income for the folks in that town. Seeing the living conditions. Seeing the struggle.

It’s hard to live on that income. There is no margin for error. If you get sick you’re screwed because you don’t have money for drugs. You might not be able to afford to send your kids to school. If you are a day laborer and you don’t get work that day, you might not be able to feed your kids. If the roof is leaking, you might not have any money to fix it.

But you know what I saw in that movie? Not despondency. Not fatalism, though I’m sure some folks probably feel that from time to time. I saw optimism. People in the town were taking out micro-loans to start their own businesses and then using the profits to go to school to better themselves. I saw kindness. One of the only people in the town with a regular salaried job gave money to another family that couldn’t afford medicine to help heal a sick mother. This was money he probably couldn’t spare. But he did anyway.

I saw kids who want to learn a new language. They understand they had to work in the fields and might not be able to go to school every year, but they want to learn. They want to better themselves. They have the indomitable human spirit. Where many people would see pain and living conditions no one should have to suffer through, these folks saw optimism. Or the directors of the documentary showed that. They showed the impact of micro-finance.

Basically it made me reconnect with gratitude. For where I was born. For the family I was born into. For the opportunities I have had. For the work I have put in to capitalize on those opportunities. Many of us won the birth lottery. We have opportunities that billions of other people in the world don’t have. So what are you going to do with it?

I’m probably late the bandwagon, but I’m going to start making micro-loans. I know lots of you have done that for years, and that’s great. I’ve been too wrapped up in my own crap. But it’s never too late to start, so that’s what I’m going to do.

So watch the movie. And then decide what you can do to help. And then do it.


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Leveraging Threat Intelligence in Incident Response/Management

Endpoint Security Management Buyer’s Guide (Update)

Trends in Data Centric Security

Open Source Development and Application Security Analysis

Understanding Role-based Access Control

NoSQL Security 2.0

Newly Published Papers

Not so much Incite 4 U

  1. Oh about that cyber-policy… It looks like folks are getting interested in cyber-insurance. At least in the UK. And it’s mainstream news now, given that an article on Business Insider about the market. After the predictable Target breach reference they had some interesting numbers on the growth of the cyber-insurance market. To a projected over $2 billion in 2014. So what are you buying? Beats me. Is it “insurance cover from hackers stealing customer data and cyber terrorists shutting down websites to demand a ransom”? I didn’t realize you could value your data and get reimbursed if it’s stolen. And how is this stuff priced? I have no idea. A professor offers a good assessment: “When it comes to cyber there are lots of risks and they keep changing, and you have a general absence of actuarial material. The question for the underwriter is how on earth do I cover this?” And how on earth do you collect on it? It will be interesting to see how the market shakes out after the first wave of claims hits. – MR
  2. The cyber-blotter: Are you one of those voyeur types who runs out to the end of the yard each day to grab the local paper and check out the police blotter? Are you dying to know who got popped for DUI or domestic abuse or tax evasion? No? Me neither, but Kaspersky’s Top Prosecutions for June gave me the same feeling. You can read about a Romanian dude getting 4 years for hacking stuff. The guys who stole some iCloud credentials may get up to 4 years in the Russian gulag. 10 years for another set of criminals doing Internet fraud. A botnet takedown or two. Interesting stuff! But not even a drop in the bucket. In any case, I get to go old school and hum the Baretta intro, “Don’t do the crime, if you can’t do the time…” – MR
  3. The Proctor-ologist is in: Good interview here with Gartner’s Paul Proctor, who was touring Europe beating the drum for a risk-based security program. Paul has done some cool research on how larger companies are communicating security value to their leadership – and even better, he wants to kill the term GRC. Which I’m totally down with. It is a pretty wide-ranging interview, so go read it. But Paul’s net about automotive business leadership is that “Their executives don’t care about IT downtime; they care about cars.” So having a fear-based discussion will work in the short term (especially when you are clutching the latest alarmist media coverage of the breach du jour) and get the attention of executives, but as Paul says “Now when you get their attention you have to do something useful with it.” Probably start by figuring out how security issues really impact the business. – MR