This week marks the end of one year and the beginning of the next. For a long time I took this opportunity around the holidays to revisit my goals and ensure I was still on track. I diligently wrote down my life goals and break those into 10, 5, and 1 year increments. Just to make sure I was making progress toward where I wanted to be. Then a funny thing happened. I realized that constantly trying to get somewhere else made me very unhappy. So I stopped doing that.

That’s right. I don’t have specific goals any more. Besides the stuff on Maslow’s hierarchy, anyway. If I can put a roof over our heads, feed my family, provide enough to do cool stuff, and feel like I’m helping people on a daily basis, I’m good. Really. But there are times when human nature rears its (ugly) head.

These are the times when I wonder whether my approach still makes sense. I mean, what kind of high-achieving individual doesn’t need goals to strive toward? How will I know when I get somewhere, if I don’t know where I’m going? Shouldn’t I be competing with something? Doesn’t a little competition bring out the best in everyone? Is this entire line of thinking just a cop-out because I failed a few times?

Yup, I’m human, and my monkey brain is always placing these mental land mines in my path. Sustainable change is very hard, especially with my own mind trying to get me to sink back into my old habits. These thoughts perpetually attempt to convince me I’m not on the right path. That I need to get back to constantly striving for what I don’t have, rather than appreciating what I do have.

Years ago my annual reset was focused on making sure I was moving toward my goals. Nowadays I use it to maintain my resolve to get where I want to be – even if I’m not sure where that is or when I will get there. The first year or two that was a real challenge – I am used to very specific goals. And without those goals I felt a bit lost.

But not any more, because I look at results. If you are keeping score, I lead a pretty balanced life. I have the flexibility to work on what I want to work on with people I enjoying working with. I can work when I want to work, where I want to work. Today that’s my home office. Friday it will be in a coffee shop somewhere. Surprisingly enough, all this flexibility has not impacted my ability to earn at all. If anything, I am doing better than when I worked for the man. Yes, I’m a lucky guy.

That doesn’t mean I don’t get stressed out during crunch time. That I don’t get frustrated with things I can’t control. Or that everything is always idyllic. I am human, which means my monkey brain wins every so often and I feel dissatisfied. But I used to feel dissatisfied most of the time, so that’s progress.

I also understand that the way I live is not right for everyone. Working on a small team where everyone has to carry their own weight won’t work if you can’t sell or deliver what you sold. Likewise, without strong self-motivation to get things done, not setting goals probably won’t work out very well. But it works for me, and at least once a year I take a few hours to remind myself of that.

Happy New Year (Shanah Tova) for those of you celebrating this week. May the coming year bring you health and happiness.


Photo credit: “Reset” originally uploaded by Steve Snodgrass

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Firewall Management Essentials

Ecosystem Threat Intelligence

Continuous Security Monitoring

Database Denial of Service

API Gateways

Newly Published Papers

Incite 4 U

  1. Wherefore art thou, cyber-liability insurance?: Interesting circumstances around Liberty Mutual suing their customer to define what they will and won’t cover with cyber insurance. As Dan Glass says, Liberty Mutual treats cyber just like physical assets. That means they will pay for the cost of the breach (like they pay for the destruction of physical assets), but they don’t want to cover other losses (such as regulatory fines or customer privacy lawsuits, etc.). If they are successful in defining these boundaries around their liability, Dan correctly points out: In other words, cyber insurance will be a minor part of any technology risk management program. Don’t let your BOD, CFO, or CIO get lulled into thinking cyber insurance will do much for the organization. – MR
  2. Big R, Little r, what begins with R? My views on risk management frameworks have seriously changed over the past decade or so. I once wrote up my own qualitative framework (my motivation now eludes me, but youthful exuberance was likely involved), I have mostly been disillusioned with the application of risk management methodologies to security – particularly quantitative models that never use feedback to match predictions against reality. Russell Thomas has a great post showing the disconnect between how many of us in security look at risk, compared to more mature financial models. To paraphrase, we often take a reductionist approach and try and map vulnerabilities and threats to costs – not only relying on inaccuracies but, in the end, not really coming up with meaningful assessments of risk to the organization. Big “R” risk takes a different approach that, as Russell describes, is more top-down and focused on the big picture. I like it because it puts us on a more pragmatic road, which seems similar to the approaches taken by many of the smarter organizations. – RM
  3. It’s about data: The Three Paradoxes of Big Data is reaching for a big theme, but really only points out something that occurs with most new technologies. When the telephone was invented society got the amazing benefit of real-time communication over long distances. A generation (or two) later the other shoe dropped in the form of annoying phone solicitations and wiretapping. With the Internet we could replace many physical forms of communication and information sharing with digital alternatives. But we also got spam and many forms of electronic fraud and espionage. The fact that big data provides better data analysis does not mean it’s value is ambiguous – the value is clear. The paradox is in government and corporate use of data. Big data has become the catalyst for public awareness of how organizations use data for their own advantage rather than ours, but there is no deeper meaning: big data is just another tool that leverages data. – AL
  4. You can’t kill them, so you should manage them better: Every security person has complained about passwords. They aren’t secure. Stupid users post them on their monitors. And even then they forget their passwords and burn up valuable help desk resources. Blah blah blah. As much as we would like to see single sign-on really happen, and maybe some cloud-based alternative will stick at some point, we are unlikely to ever get rid of passwords. So the next best option is to manage them better – on an enterprise-wide basis. Network World did a test of 6 password managers which showed that the market is pretty immature; even with the six alternatives they tested, capabilities are all over the map. I have been a 1Password user for years and it works great on an individual basis. But that doesn’t help enterprises much, so check out their review for a feel for the latest capabilities. And then keep an eye on these tools as they evolve rapidly over the next 18-24 months. – MR
  5. More, please! One of the biggest problems we seem to have in security is sharing what works. I was at a party over the weekend, talking to a CIO, when I mentioned how limited end-user talks at conferences are. He mentioned that legal tends to demand per-slide review of nearly any public talk – never mind security. We all know this is an issue, and as a former conference organizer I hated losing talks at the last minute when legal stepped in – which, unfortunately, happened all the time. That’s why I get excited by things like this talk from Zane Lackey at Etsy on “Attack-driven defense”. Specific techniques, real-world scenarios, and not too generalized to be useful. I have said we need a “Black Hat for defenders”, and this is exactly the kind of content I think more practitioners would appreciate. – RM
  6. Malinformation: It is clear that AV is not anti-malware, right? It looks to me like most IT practitioners understood this back in 2009, so it comes as a surprise to see confusion persisting in 2013. The article Anti-malware is not dead, but it’s futile makes the mistake of equating AV with anti-malware. While it is true that the pace of new viruses have outpaced AV vendors’ ability to keep blacklists current, today’s malware is different, and tactics to detect it need to change. We see real innovation in reputation analysis, fraud analysis, traffic analysis, and behavioral monitoring from anti-malware vendors applying new techniques beyond signatures and sandboxing. But combating malware is not the war – it is just one battle in the never-ending effort to keep fraud, theft, and misuse at manageable levels. – AL
  7. Network security gets security analytics religion: It is funny how markets shake out sometimes. I have been saying for a while that full packet capture based security analytics platforms are the future of what was called SIEM. But Solera Networks was bought by Blue Coat earlier this year, and now PacketLoop has been acquired by Arbor Networks. Clearly they see the technology to capture and analyze packets as more of a way to provide better visibility for the network, rather than simply a broader data set for enterprise security monitoring. Some SIEM vendors will be rolling out full packet capture and analysis capabilities over the next year, but I still believe in my original contention. But clearly the network security folks see some value there as well. – MR