Sometimes I have a weekend when I am just amazed. Amazed at the fun I had. Amazed at the connections I developed. And I’m aware enough to be overcome with gratitude for how fortunate I am. A few weekends ago I had one of those experiences. It was awesome.

It started on a Thursday. After a whirlwind trip to the West Coast to help a client out with a short-term situation (I was out there for 18 hours), I grabbed a drink with a friend of a friend. We ended up talking for 5 hours and closing down the bar/restaurant. At one point we had to order some food because they were about to close the kitchen. It’s so cool to make new friends and learn about interesting people with diverse experiences.

The following day I got a ton of work done and then took XX1 to the first Falcons pre-season game. Even though it was only a pre-season game it was great to be back in the Georgia Dome. But it was even better to get a few hours with my big girl. She’s almost 15 now and she’ll be driving soon enough (Crap!), so I know she’ll prioritize spending time with her friends in the near term, and then she’ll be off to chase her own windmills. So I make sure to savor every minute I get with her.

On Saturday I took the twins to Six Flags. We rode roller coasters. All. Day. 7 rides on 6 different coasters (we did the Superman ride twice). XX2 has always been fearless and willing to ride any coaster at any time. I don’t think I’ve seen her happier than when she was tall enough to ride a big coaster for the first time. What’s new is the Boy. In April I forced him onto a big coaster up in New Jersey. He wasn’t a fan. But something shifted over the summer, and now he’s the first one to run up and get in line. Nothing makes me happier than to hear him screaming out F-bombs as we careen down the first drop. That’s truly my happy place.

If that wasn’t enough, I had to be on the West Coast (again) Tuesday of the following week, so I burned some miles and hotel points for a little detour to Denver to catch both Foo Fighters shows. I had a lot of work to do, so the only socializing I did was in the pit at the shows (sorry Denver peeps). But the concerts were incredible, I had good seats, and it was a great experience.


So my epic weekend was epic. And best of all, I was very conscious that not a lot of people get to do these kinds of things. I was so appreciative of where I am in life. That I have my health, my kids want spend time with me, and they enjoy doing the same things I do. The fact that I have a job that affords me the ability to travel and see very cool parts of the world is not lost on me either. I guess when I bust out a favorite saying of mine, “Abundance begins with gratitude,” I’m trying to live that every day.

I realize how lucky I am. And I do not take it for granted. Not for one second.


Photo credit: In the pit picture by MSR, taken 8/17/2015

Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We’ve raised almost $6000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers

Incite 4 U

  1. Can ‘em: If you want better software quality, fire your QA team – that’s what one of Forrester’s clients told Mike Gualtieri. That tracks to what we have been seeing from other firms, specifically when the QA team is mired in an old way of doing things and won’t work with developers to write test scripts and integrate them into the build process. This is one of the key points we learned earlier this year on the failure of documentation, where firms moving to Agile were failing as their QA teams insisted on hundreds of pages of specifications for how and what to test. That’s the opposite of Agile and no bueno! Steven Maguire hit on this topic back in January when he discussed documentation and communication making QA a major impediment in moving to more Agile – and more automated – testing processes. Software development is undergoing a radical transformation, with restful APIs, DevOps principles, and cloud & virtualization technologies enabling far greater agility and efficiency than ever before. And if you’re in IT or Operations, take note, because these disruptive changes will hit you as well. Upside the head. – AL
  2. Security technologies never really die… Sometimes you read an article and can’t tell if the writer is just trolling you. I got that distinct feeling reading Roger Grimes’ 10 security technologies destined for the dustbin. Some are pretty predictable (SSL being displaced by TLS, IPSec), which is to be expected. And obvious, like calling for AV scanners to go away, although claiming they will die in the wake of a whitelisting revolution is curious. Others are just wrong. He predicts the demise of firewalls because of an increasing amount of encrypted traffic. Uh, no. You’ll have to deal with the encrypted traffic, but access control on the network (which is what a firewall does) are here to stay. He says anti-spam will go away because high-assurance identities will allow us to blacklist spammers. Uh huh. Another good one is that you’ll no longer collect huge event logs. I don’t think his point is that you won’t collect any logs, but that vendors will make them more useful. What about compliance? And forensics? Those require more granular data collection. It’s interesting to read these thoughts, but if he bats .400 I’ll be surprised. – MR
  3. Don’t cross the streams In a recent post on Where do PCI-DSS and PII Intersect?, Infosec Institute makes a case for dealing with PII under the same set of controls used for PCI-DSS V3. We take a bit of a different approach: Decide whether you need the data, and if not use a surrogate like masking or tokenization – maybe even get rid of the data entirely. It’s hard to steal what you don’t have. Just because you’ve tokenized PAN data (CCs) does not mean you can do the same with PII – it depends on how the data is used. Including PII in PAN data reports is likely to confuse auditors and make things more complicated. And if you’re using encryption or dynamic masking, it will take work to apply it to different data sets. The good news is that if you are required to comply with PCI-DSS, you have likely already invested in security products and staff with experience in dealing with sensitive data. You need to figure out how to handle data security, understanding that what you do for PII will likely differ from what you do in-scope PCI data because the use cases are different. – AL
  4. Applying DevOps to Security Our pal Andrew Storms offers a good selection of ideas on how to take lessons learned in DevOps and apply them to security on the ITProPortal. His points about getting everyone on board and working in iterations hit home. Those are prominent topics as we work with clients to secure their newfangled continuous deployment environments. He also has a good list of principles we should be following anyway, such as encrypting everything (where feasible), planning for failure, and automating everything. These new development and operational models are going to take root sooner rather than later. If you want a head start on where your career is going, start reading stuff like this now. – MR