My Focus on Integrity

Over the last few weeks I've been engaged with the editorial staff at WiseGate as I strive to understand the result of some informal polling I did about Integrity - Change Monitoring, Security Monitoring, and maintaining the integrity of computing environments for security and compliance.

I won't dive into those results here, except to say they have revealed something that, perhaps, I should have already known: there's a gap between what we want to do and what we're able to do.

I've been having a back-and-forth with one such editor, and following is my e-mail where I tried to both distill the meaning of Integrity, and show how the focus on Integrity starts with the system - not the data.

This is my classic method - use examples, preferably car examples, to describe the more intellectual subjects of information security.  Sadly, this shows that what you see here in my blog is exactly how I write - and how I think.

After reading this e-mail, the editor said it needed to be published.  So, here it is.  Enjoy.

(Note: the editor I was talking to is British, hence the selective use of a few words in here like "petrol" for "gas".)

---

I think I need to take another run at explaining Integrity.

Yes, it’s all about the data.  But, sometimes, it’s about the systems, too.

Take a system like your car.  You’re the data, the car is the system that handles the data.  The purpose of the car is to deliver the data safely at its destination while allowing some changes (aircon, heating) and not allowing others (theft), and protecting from the eventuality of yet others (seat belts, airbags).

Think about all the components of that car.  As a driver, you’re relying on the integrity of every component – the steering, the engine, the suspension, the brakes, the tires – but the only assurance you have that your car still has integrity is the garage it’s parked in, a check engine light, and a penetration car alarm.

A criminal picks you.  They put a pinhole in the fuel line feeding petrol to the engine.  Sure enough, the car alarm goes off – but, of course, car alarms go off ALL THE TIME, so no one checks it.  (Barking dog syndrome.)  A fuel line won’t trigger the Check Engine Light.  Do you know your car’s integrity has been compromised?  No, and somewhere along your drive to your next destination, your system flames out and self-destructs.  Hopefully you get out safely (probably, since cars are designed to handle engine fires).

What happens if the pinhole is in the brake system?  One time you go to stop – no brakes.  That’s much worse.

Now, a real hacker wouldn’t even set off the penetration car alarm.  They’d sit and wait, capture the signal from your remote keyless entry, and use that to disable the alarm before opening the (now unlocked) car.  They’d put a camera and GPS in the car to see all the data and track the use of the system.  They’d accumulate the information, periodically re-entering the system to retrieve the captured information.  The most you’d notice is a new rattle in the dash and finding your car strangely unlocked some random mornings – which you attribute to old age.

The garage is the company firewall.  The car alarm is the host IDS.  The check engine light is the SIEM.  Each suits their purpose perfectly, but each can be circumvented in the process of compromise of the overall system.

Integrity monitoring would catch these events.  It would see that the fuel line has been modified, the brake line has been modified.  It would even report the hood being opened.  It will even alert you when your oil was changed – but, since you planned that, you’ll dismiss it.

As an aside, encryption tints the windows.  No one can see the data within the car, but everyone still knows there’s a car carrying data – and, now, suspects it’s valuable.

So, as much as it’s about the data, it’s about the systems too.  Forget the data for a moment, think about those systems and the implications they have on the data we find so valuable.

Being Thankful

It's the season.  Sadly, it takes the season for us, particularly me, to even consider what I am thankful for.  Maybe I'm too preoccupied with the concerns of the moment, maybe I'm wrapped too much into my little part of the world to realize all the great things that happen in life.

Regardless of what it is, the very fact I'm writing about the things I'm thankful for is a step in a direction I've never gone.  Even if it's triggered by the season.

I have a lot to be thankful for.

I have a beautiful wife.  She's not just pretty on the outside, she's got a heart of gold.  She gives constantly and selflessly.  She's brilliant.  She puts up with my huge list of weaknesses.  My selfish tendencies, poor ability to communicate, fleeting desires and interests, inconsistent moods.  She celebrates my strengths, seeing parts of me that can be obscured by my weaknesses - but are really, and intentionally, there.  She is, in many ways, what I could only aspire to be.

I have an incredibly talented, sharply intelligent, witty, wise beyond his years son.  I take very little credit for him, I'm absolutely floored by how everyone around him has helped him turn into the young man he is, limited only by his own intent and desire to be what he wants to be.  He somehow finds ways to live and grow within my constraints - those same things my wife puts up with - and enjoy spending time together with his dad.

And, while it may seem strange, I am thankful for my ex.  Despite all my weaknesses, all my failings, all the challenges I create and present, she persevered for 15 years, and even after the difficulties of our separation and divorce she has managed to find the reserve of patience to allow us to maintain a peaceful relationship.  Her investment in our son is clear and apparent, the influence of her husband on our son is constructive; my son will be a better man for all the differing perspectives.

I'm healthy and fit, fortunate to have a relatively deep athletic capability, and have the opportunity to develop and use that ability and fitness doing one of the things I love: riding a bicycle.  I'm thankful that I have that opportunity, and that I have been able to turn that opportunity into once-in-a-lifetime events that will always be in my memory.

I have the world's perfect dog.  I've never been a dog person, I have an affinity for cats, but my wife brought her into our family and, somehow, this pup has somehow found her way into my heart.  She's attentive, energetic, but peaceful and quiet when the time demands.  She is a perfect fit into our little family.  I couldn't have hoped for a more perfect first dog, and that's still not saying enough.

I'm thankful for the opportunity to make good contribution to good things, being asked to contribute, being recognized for what I have to offer, and being part of greater and growing organizations.  I am truly fortunate to be recognized for my contributions and to have those contributions lead to greater and greater involvement.

And I'm thankful for each and every one of you, every one of you who takes the time to read my thoughts and ideas, every one of you who gives me comments and feedback that leads me to more ideas and writing.

Be careful, please have a safe and happy Holiday season.

Motivation, Engagement, and Leadership

One of the hardest things about my job is maintaining engagement and motivation in my team.

I'm sure many of you are nodding in agreement.  People are the hardest part of any leadership job, and for people like me who rose through the technical ranks people are a whole lot different to engage than routers, switches, servers, and SANs.

I know everyone has a story about the temperamental server that, if ignored, would slowly fail but with a little TLC and a periodic check would run happily forever.  There may even be a lesson inside those experiences.

My CIO is one of those rarefied technology people who can actually give a sense of warmth, closeness, and caring.  You can feel that she sincerely cares about the people around her.  In our staff meetings, we make time to talk about our company and organizational culture; the company's social contract and our perspectives on what the contract is telling us.  A few weeks ago she shared this link with us and asked for our perspective:

Is Your Company Culture Affecting Your Employee Engagement?

I read this article several times, picking up on new ideas both from the article and how companies are following, or not following, the principles presented.  As I thought about this article and looked back on back to presentations from CEOs, I remembered one of Flip Flippen's mantras for The Flippen Group: No organization can rise above the constraints of its leadership.

Employee engagement is inherently limited by the personality of company leadership.  That made me think about some of the ideas I'd heard from CEOs:

"A" people hire "A" people.  "B" people hire "C" people.

This CEO explained their perspective that "A" people were the top-level performers in the organization, the 5% doing 50% of the work.  "B" people were the 9-to-5 workers, the one who punch the clock and get a paycheck, fulfilling and even excelling at their duties but generally not exceeding them.  "C" people were the one barely scraping the minimums of their duties in quantity or quality, resulting in the need for additional work to complete tasks.

The CEO's view was that "A" players wanted to be surrounded by other "A" players, focused on accomplishing goals through whatever investment needed to get there.  "B" players didn't want to be shown up, such they would hire "C" players to ensure they looked good compared to others.  "C" players were of limited to no value.

He coached his leadership team to focus on the "A" people, work to eliminate the "C" people, and limit the influence of the "B" people.

I want my leaders to be aggressive, taking business away from our competition.

This CEO expressed that his ideal leadership team was made up of highly competitive, highly aggressive leaders.  He wanted a leadership team focused on wresting away business from the competition, taking calculated risks to attack the sales positions of competition and gain favorable market share.

This leader made it a point to talk about business ethics, focusing on the need to earn and retain business based on acceptable practices, a point he recognized as necessary given the highly aggressive nature of his team as they used (almost) any means necessary to gain the upper competitive hand.


I want Type A people, self-starters who seize problems and push people to drive them to conclusion.

This CEO explained that Type A personalities were the ones that got things done.  He coached his leadership on how to be Type A, how to identify a Type A player, and how to develop and promote Type A players into leadership positions.  It was his goal to build a team full of Type A people who wouldn't pause in the pursuit of company objectives.

Type B players, by contrast, were needed to do daily work, but the lack of pure drive for accomplishment meant they were best relegated to less senior positions.  The CEO coached his leadership to help develop assertiveness and need for achievement as a requisite for advancement into leadership of the company.


So, to be honest, I'd been affected by each of these presentations.  I let myself be somewhat swept up in their (much better presented) points of view.  Organizations are all about accomplishing goals, achieving new things.  By extension, clearly things like drive, assertiveness, aggressiveness, were the traits that made such possible.

I reflected on myself and others - am I an "A" player?  Are my team "A" players?  Am I aggressive enough?  Am I Type A?

For those of you at home keeping score:
- "A" Player: Not my call, but my leadership consistently says "yes"
- Aggressive: I have a small aggressiveness pool, which I tend to only I feel backed into a corner.
- Type A: No.  I'm a Type B.  One word: reflective.

My CIO sends this article, and I start to think.  29% of workers are actively engaged.  What percentage of the population is an "A person", "Aggressive / Competitive", and "Type A" (or could coach themselves to be close)?

I bet it's less than 29%.

I bet most companies are burning the Type A wick to cover their big productivity needs; a select few companies are figuring out how to unlock the other 71%+.

The comments from those CEOs show how a leader can hold back an organization.  You can't build a team of high-drive, high-aggressive, high completion-oriented people and expect it to stick together.  Such organizations are powder kegs; the explosions can be somewhat directed to rapidly accomplish a goal, but the harm the explosions cause results in those organizations splintering and failing to produce long-term results.

Start-ups are a great example.  Sudden bang, then wholesale replacement of staff and leadership to turn rapid initial progress into long-term value.  Failure to bring in long-term, sustainable staff will reduce value to the point of either company failure or acquisition for intellectual property rather than inherent value.

No one wants to buy a company that relies solely on overworking and stressing staff to accomplish its goals.

Life is a marathon, not a sprint.  So it is, or should be, in business.  Sprints may deliver an initial victory - assuming the finish line is close enough - but the marathon runner will ultimately surpass the sprinter's accomplishments and deliver victories over and over again.

The article made me realize that the long-term success of a company really comes down to the diversity of its leadership, a diversity that must be as broad as the people who work for that leadership.  Each employee needs different treatment and handling to coax the best out of each of them, and only complete appreciation and understanding will accomplish that goal.

So what does this mean?

The value of an individual is not based on easy-to-define categories.  There's no single magic formula for a high-performance team, or a high-performance individual - because there's no single formula for a person or team who can transform to be high performance.

The magic is awareness.  Be aware of the strengths and limitations of each employee.  Be aware of what motivates each employee.  Be aware of how each employee reacts and responds to work, life, and circumstance.

Be aware of how your statements and actions influence your employees; in other words, be aware of how your leadership may be inhibiting the growth and future of your employees.

Stay engaged with your team.  Build a means to communicate.  Use that opportunity to give feedback, good and constructive.  Use each individual's strengths to help them grow, adapt to manage their vulnerabilities to limit their impact on the future.

And don't be part of their problem.  No organization can rise above the constraints of its leader, and no member of a team can rise above the constraints of their organization.

BMW Drivers Suck

That's right.  BMW drivers suck.  All of you.

I was riding with our normal Tuesday/Thursday group south on White Chapel Boulevard near Bob Jones Park.  Our group is pretty orderly (well, usually), and that day we were riding downright politely.  We had a nice single-file line moving up the road, with the lead rider pulling off to the left in a slow rotation.

If you're not familiar with this area, which many of you probably are not, this section of White Chapel Boulevard is a 30mph two-lane country road with 2-6" of shoulder right of the white line.  It provides access to neighborhoods north of TX114 near the south side of Lake Grapevine.  Since these neighborhoods do provide access back to the south, it's not technically dead-end, but the road is only useful as access to those neighborhoods.

It has a huge park with ballfields and soccer fields (football, for the rest of the world), playground, a dog park, and miles of lakeside hiking trails.  It has two schools along it, horse farms, and lots of open space.

In other words, a perfect road for bicyclists.  Out of the way, quiet, pretty, and lined with facilities that encourage outdoor sports and activities.

So we're riding this road, as we do every Tuesday and Thursday.  There's a mean little hill that rises out of a creek bottom perhaps a quarter mile from the elementary school.  There's always south wind in Texas, and this is a southbound section of road.  It's not a big climb (this is Texas), but it's punishing and we tend to ramp up the effort to make up for the lack of pitch or length.

I'm leading the single-file pack up this hill.  I've hit my limit for suffering, so I wheel off to the left, letting the next rider continue the push as I slide backwards relative to the line to find an open spot.

We're probably only doing 20mph or so.  We may be quick, but we're not world class.

I get about 3 wheels back when a BMW 760LI blows by me, engine roaring as the driver accelerates hard.

When I say he blow by me - and I assume it was a "he", it's a typically male car, being driving in an escalated-testosterone-level way - I mean he passes me with inches to spare.

And when I said inches, I mean precious few inches.

I have the image of the passenger mirror missing my handlebars by such a small margin that I had cognitive dissonance - I was still upright, but my conscious was curiously thinking I was flying through the air.  The blast of air of the 50mph car (in the aforementioned 30mph zone) probably augmented the reality.

As I say: BMW drivers suck.  All of them.

Sadly (and, perhaps, funny at the same time), many of my cycling friends are nodding their heads in agreement.  There's no doubt that the, shall we say, "more financially endowed classes" are more likely to treat vulnerable road users (like cyclists) like scum.

(Transparency: My wife and I just bought a Mercedes-Benz.  A *used* MB.  6 years old, because we can't afford a new one.  And we hope it doesn't break down because we can barely afford to fix this one.)

But that's an aside; not just a statement about BMWs, but a statement about many premium brand owners.  I'm talking about BMW owners.  They suck.

Right?

Of course not.  There's clearly at least one BMW driver that sucks.  One BMW driver that has no respect for other's life or well-being.  One BMW driver defines all BMW drivers.

Unfortunately, like most people, cyclists tend to unfairly lump people into groups.  I've done it at least twice in this post, and I'm about to let loose with a little bit of our little "club's" prejudices.

Our perspective is different from most, which makes for interesting conversation.

I've had fewer little problems with people who are in the lower end of the socioeconomic scale.  For whatever reason, those drivers tend to make room and be in less of a rush.  This seems to cut across almost every race and creed.

There are a lot of Mexicans and Central Americans in Texas, and from a cycling perspective I'm glad.  There's no doubt that some look at me funny, but they are absolutely respectful on the roads.  When I see them working as landscaping / lawn crews, they go so far as pause work and slow their weed-whackers, leaf blowers, and lawn mowers so I don't get a blast of clippings as I pass.  (That happened again last night - some people are awesome.)

Don't worry.  The local Caucasians make up for it - except for country folk.

I have few problems when riding around the country.  If anything, country folk are the people I enjoy riding around the most, aside from their absolute passivity when driving.  I've had farmers and ranchers sit 100' off my wheel for minutes waiting for a passing opportunity delivered on a golden platter accompanied by light from the heavens and angels singing.

That does not apply to certain groups of rednecks, however, who seem to relish the opportunity to throw objects, buzz, or belch fume-laden diesel smoke on anyone that triggers their feelings of inadequacy.

Rock haulers are downright scary.  I think drivers would agree with me.  Frac trucks aren't much better.

I have never once had a negative encounter with anyone remotely resembling a Muslim.  Never.  Every single case has been respectful.

But with that in mind, there are places where I feel more in control of my survival during rush hour than I do on Sunday mornings before church.  Between the relatively poor driving of older folk (which I'm rapidly becoming) and some "God will be PISSED if I don't run down this cyclist who could make me late to church!" mentality, certain roads can be downright dangerous.

That's right.  Practicing Christians are part of the problem.

And that brings it back full circle to our BMW driver.  BMW drivers suck.

I know it's not fair, and perhaps that's precisely the point.  If you don't like how you, or your "group", are perceived, change it.  If you don't like how you're lumped into a "group", don't do it yourself.

And, please, don't drive like an asshole.  Thanks.

Don't Be A Solution Without A Problem

Technology people tend to be problem solvers.  We like to get our hands dirty, getting bits like grease under our fingernails as logs flow on the screen.  Problems are self-evident, must always be solved, and solutions are simple and straight forward.

For the business, talking to Technology is a little like showing up at a 10 minute oil change place.  They expect to be done in 10 minutes.  They want to do the minimum necessary to maintain their investment; today, it's an oil change.

Instead of just doing the oil change, the shop goes "above and beyond". They check tire air pressures, add windshield washer fluid, check the spark plugs, wires, and test the coolant.  They check mileage and compare to the maintenance schedule for the car.

Then there's a ceremony of pulling out the engine air filter and cabin air filter for presentation (they're always going to be dirty), with the explanation that the engine filter can have a huge effect on engine performance and efficiency and the cabin air filter ... well ... filters the air you breathe in your car.

(What they don't tell you is that most air filters work better mid-life.)

Like my lovely wife when she gets an oil change and is presented a dirty, nasty looking air filter that was replaced with the last oil change, the business feels ignorant and frustrated, not knowing whether this is classic up-sell or something that really needs to be done.  The answer they give, regardless of what it may be, is wrong.

This is the problem.  We present solutions to problems our counterparts don't recognize or don't accept.  In other words, we present solutions to problems that don't exist.

Most businesses place emphasis on learning "business acumen".  As leaders, we're expected to be familiar with the financial drivers within the company so we make good decisions from the perspective of the bottom line.  As leaders, we are expected to know basics about human resources.  Purchasing.  Contracts.  Legal.

Unfortunately for technology and information security people, the same doesn't necessarily apply to our area of expertise; there's still (generally) a disconnect.  We are surrounded by self-proclaimed experts because they know how to run their PS3 blu-ray player, but they've only the vaguest idea why upgrading their FiOS to 50Mb/50Mb didn't make their games faster.

We end up in a position where we identify problems our counterparts don't sufficiently understand and propose solutions that mean little to those same counterparts except the feeling they [ impede business | cost too much money | create work | serve only to self-justify technology and security investment ].

I was recently on a conference call where many of my peers were talking about the problem of Sensitive Data and Data Classification.  There was a strong sense of "it's all about the data", a solid mantra every InfoSec professional should recite daily when they wake, and many felt it important that they get a program out and enforced.

The complaints, however, were that adoption was fractured, organizational involvement limited, progress slow, benefits difficult to realize.  Some companies couldn't even get people to the table to talk about the problem, let alone discuss a potential solution.

Data Classification is an intellectual topic.  Some companies don't have this problem - Intellectual Property is in their DNA; instead, they struggle with other problems.  But, even in those companies, the problem can take form; IP is lifeblood, other data types get short shrift.

It took some thinking after the call, but I realized we were missing the point.  We were providing an answer, but our peers didn't understand the question.

So let's make it practical - for everyone.


1) Start with the end in mind, but don't jump there.

The natural response: How do I control this?  What should I put in place?  How do I measure adoption and success?

Most of us intellectually, or instinctively, know the answer to the problems we face.  Although that's why many of us are in the positions we hold, going straight to the end of the road doesn't allow for anyone else to follow the path; you'll get there alone.  Start at the beginning, and help your peers reach the destination.

Remember: You can tell an executive, you can't tell an executive much.


2) The solution isn't always technical.

Sometimes the solution isn't shiny new technology - sometimes it's simple adaptation of business process.  Perhaps the solution will be to encrypt a sensitive data package, or perhaps the solution will be to eliminate the sensitive data from the package altogether - resolving the immediate risk while reducing long-term risk at the same time.  There may be low-cost and no-cost ways to mitigate risk and each must be weighed against the technical option and the potential disruption to process the technical solution may present.

This is even more important when working on control design.  Business processes typically define the control space, leaving the business process as the easiest and best place for control implementation to deal with residual risk.

 

3) Document for engagement.  Illustrate for ownership.

You could also say: Awareness requires action.

The best case for action on information security risks is the one that gives someone else understanding and ownership of that risk.  Otherwise, you're just trying to replace the air filter in a car when all they want is an oil change.

As frustrating as it may be, don't take the "just fix it" path.  Information Security is a system, not a check box on a form, and ownership is assuming responsibility and setting accountability, not point-and-click; "fixing the glitch" just leaves Information Security holding the bag.

Take the problem back to the individual(s) responsible for the business process and the data involved in that process.  Provide insight on the process and the risks that make the the process a problem to be addressed, quantifying the likelihood and impact (any CISSPs out there?) to the extent reasonable.


Bottom Line: CISOs have a limited amount of political capital to burn pushing remediation without sponsorship, and doing so risks continued ownership of the problem and continued investment of political capital.  Information Security leaders are best serve their interests through problem identification, business engagement, definition (transition) of responsibility, and partnership to resolution.

It when the owner understands that their air filter is important, and the CISO shows the air filter truly needs replaced, that the opportunity for a strategic problem-solving partnership, and long-term resolution, can be found.

Suddenly, Autumn!

I've had the opportunity to live in many places across the US - Vermont, Virginia, Illinois, and now Texas.  Every place I go I hear the same thing: If you don't like the weather, wait 5 minutes and it'll change.

Summers in Texas tend to bring very consistent conditions.  Hot.  Sunny.  Convection oven breezes.  There's no "wait for to change", it simply doesn't change for 3 months.

This year was different, with the bulk of July avoiding any real resemblance of heat.  We even set some records for lowest highs with some places reporting highs in the upper 70s.  Seriously.  In a state where July usually means LOWS in the upper 70s, frequently the low 80s.

As cyclists, we were not just enjoying this, we were living it up.  It was wonderful.

Finally, summer arrived in August, and we've been seeing more "normal" temperatures.  With that heat came my typical heat-induced physiological failure: my performance guttered.  For 3-4 weeks, I suffered through having a short wick that burned far too fast, and dealt with much longer recovery times that reduced me to a single hard ride a week - and that ride was still soft.

Demoralizing, every year.  This year, it hit right as we came into the prime of the Texas road racing season, kicked off by Hotter than Hell.  Well, at least it continued to live up to its name.

August is the build up for the grand finale of the year, the Texas State Road Race Championships, ridden on Fort Hood outside Copperas Cove.  The heat played a double-whammy on me this year, waiting until August to shred my month of preparation going into my first "real" attempt to race (and hopefully place) in the Championship.

Tuesday, Wednesday were late-blooming heat waves last week, setting new high temperature records on Wednesday (101F).  I had intended to reel back the effort on my ride Tuesday so I'd be rested for the upcoming weekend of racing, but the group was spritely and I let myself get sucked into 25 miles of attacks, and blistering pulls, and generally hard riding.

Oops.

Cloudy skies on Thursday kept temperatures reasonable as I managed to dial back my effort in our group ride.  I took out the TT rig to make sure it was riding reliably before the second stage of the upcoming race: an individual time trial held on Saturday afternoon.

But as they say, if you don't like the weather, wait a bit.  It'll change.

And change it did.

Texas is amazing in one regard - the ability to have downright radical changes in weather in a very short period of time.  A few years ago at the Texas Time Trials the overnight countryside temperatures reached 32 degrees; we were freezing our asses off.  12 hours later, 4 in the afternoon, and it's 96 - with a 30mph south wind.

That was without fanfare.  More amazing is when fronts roll through, taking 80F to 50F in minutes.  Those tend to have a little more excitement - 60mph straight line winds, at least, as the front passes.

So this past weekend was the Coleman Chevrolet Stage Race held in Douglassville, TX, about 30 miles outside of Texarkana in the east Texas countryside.  And it was 101 on the Wednesday before.

But not this weekend.  Friday morning brought the sound of raindrops on our skylight as we awoke.  It was downright chilly as we drove to work that morning.   WOOHOO!

We were fortunate to have perfect weather conditions all weekend, with highs in the upper 70s and lows in the upper 50s or low 60s.  You couldn't ask for a better race weekend.

This coming weekend is the Texas Time Trials, where I plan to ride the 6-hour solo "upright" (non-recumbent) event.  TTT is technically not a "race" per se, although the promoters make that mistake on occasion.

That said, I have, or had, designs to chase the course record, but again Texas weather will likely get in the way: we're going to get heavy rain Saturday afternoon.  Looks like I'll be taking precautions to ensure I have a safe ride.

I have a State Road Race Championship to prepare for.

Depression and Suicide

There has been lots of discussion about Robin Williams taking his life.  I've seen lots and lots of supportive messages - how he was an avid cyclist (winner in my book); how he was a geek who played WoW with his fans, and named his daughter after Zelda; how he had a heart of gold.

And how he hid his depression by being completely open about it, yet most of his audience was blissfully unaware of the darkness he hid inside.

Even with these positive messages there's still the comments, sometimes innocent and sometimes intentionally downright cruel, ringing ignorant and haughty perspectives about a very real, very difficult problem some people face.

Like me.  I have a deep and personal understanding.  I've been there, I've seen the darkness, I know what the pain feels like.  Everyone's circumstances are different.  I would never compare my experience with Robin's, or others, but I do appreciate them, I do understand them.  The demons I've fought, while no less real, are different.

So, I want to set a few things straight.

Depression is not a lack of confidence.  It is not dwelling on problems.  It is not allowing oneself to be swept up by events.  It is not failing to see the bright side of things.

Depression is not a choice.

Read that again: Depression is not a choice.

There is a lot yet for us to learn about what depression really *is*; by saying that, we admit we're sure we know what it's *not*.  There is a tremendous amount of research going into psychology, physiology, biochemistry, and combination fields like physiological psychology, brain chemistry, in an attempt to understand the underpinnings of depression.

For me, it's chemical; or, at least, that's what it seems like.  I can "see the storm clouds on the horizon"; I have a sense when it's going to get really dark.  I can't do anything about it, it really is like seeing the storm on the horizon and knowing it's going to get really rough for a while.  Eventually, the storm will pass.

Even harder for many people to understand is this: Suicide is not by choice.

Look at it intellectually.  Humans, as animals, have instincts designed to ensure our survival.  We may take liberties with survival, unnecessary risks, and even misjudge the likelihood of death from those risks; but when faced with clear and present mortal danger we will do everything we can to survive.

There's a reason (most of us) can't jump off a building.

Depression can dull that response, even overcoming hard-wired instinct.  It can, quite literally, turn off that will to live, replace that signal, or overwhelm it with an unendurable, indescribable pain.  The fear of death vanishes, replaced by a sense of comfort, a sense of possible peace.  The final escape from the demons that gnaw on our minds, our hearts, our very souls.

It's the salve for our wounds, one I'll feel so much better after applying.

Again: Suicide is not by choice.

There are a lot of well-intentioned people out there, with well-intended questions, hearts in the right place trying to help people in need.  Truly, these people need to be recognized, supported.  (Most of them) know what's really going on in a depressed, or suicidal, person's head, and know that it's not so simple to solve as picking up the phone.  They know that few have the will to do so, and some that do will still succumb.

So they don't judge.  They reach out, try to provide a ray of light to a soul in darkness, and hope that soul will follow the beam.

For the rest of us, it's incredibly easy to be accidentally, or purposefully, flip about this reality.  These are a sample of the statements I've read in the last few days.

"It's not that bad."  Yes.  It is.  This shows just how naive you are; you've never experienced pure, unadulterated depression, and such don't know how heavy it truly feels.  That weight is real; it can mean we can't get out of bed, the weight real and palpable in our minds.

"You should call someone, or call me."  Sometimes innocent, when said by someone who truly wants to help; other times, said only as transference to further place blame on the victim.  So, while there is a grain of truth, you must begin to realize that we're perceiving inches as miles; once you understand that, you can begin to understand why we can't move to the other end of the couch - let alone pick up the phone resting on the end table.

"I've been sad before, too."  If you've never been on the wrong side of the depression line, you don't know what true depression feels like.  If you have, you'd never use the word "sad" to describe it.  In short, you're ignorant.  Don't ever begin to assume that you have the first idea what it's like to be truly depressed.

"Suicide is a sign of weakness."; or "You need to toughen up."  These truly piss me off.  Take every single bad experiences in your life, count them up, stack them on top of each other, and experience them all simultaneously.  Then multiply by two.  Four.  Ten.  Do that, and you'll start to get a sense what being depressed is really like.  You want strength?  Survive that feeling.  Every.  Single.  Day.

Robin, I respect you.  I respect what you've done, how you ended it.  I respect everyone who ends up in a place where suicide is the only recourse.

I'm saddened that we, as a society, are failing every one of these people.  

So what can we do?

1) Stop stigmatizing depression and other mental illness.
2) Collectively learn, and accept, that depression and other mental illness are not choices.
3) Collectively learn, and accept, that the effects of depression are not choices.
4) Learn how to be "a ray of light" instead of "the scale of judgement".
5) Continue to push for greater understanding of our brains, and how our environment, physiology, chemistry, sociology, and many other factors relate to our psychological heath.

As for Robin - thank you for being you.  Thank you for sharing.

Now...rest well.  Rest well and, finally, in peace.

My Riding Philosophy

Truth be told, I'm not a terribly aggressive person, but I do have a competitive streak.

Most of my motivation comes from inside, my competition is within myself.  I don't let down, I make my mind push my body's limit, and my body push my minds limits.  Within reason, of course, I need to survive the moment so I can be there when at next moment, but that only means I try not to crack - unless I have to.

If you're read my other posts, you've seen that I don't have a plan, I don't have a terrible amount of structure.  I ride 4 days a week, and I try to enjoy those rides.

But I *do* have a method to my riding, and that's far more important.  I have different definitions for "enjoy" depending on the day and the ride.  I have my hard rides, and

There's one thing that has been bugging me lately.  I help organize a road and (hopefully) mountain bicycle racing team.  We're not big, and we never will be, but we're having fun.

We have a mix of riders.  We have a sprinters, a diesels, a great climbers, and maybe a couple solid GC all-rounders.  We have a bunch of riders who have a lot of headroom in their growth, but aren't doing the right things to try to unlock it.

It's obvious, at least to me, and it's frustrating.  These are simple mistakes, things that are quite easy to fix if they'd just see them and respond to them.

Since I can't seem to get them to hear me, you're all going to get the chance to read me.

Don't ride with a group that's as fast as you are.  Ride with a group that's as fast as you want to be.

I see really great riders hanging out in coffee and donut rides, or sitting in the beer and brats social ride.  Then they get dropped on a hard ride or a local race and get frustrated.

I have nothing against coffee. Or brats (if they're chicken or turkey).  Or beer!

(I do have a problem with donuts.)

I absolutely have a problem with riders who slack off by attending C-level rides then come to a B or A ride and complain about being too slow.    

Seriously.  Go away.

You're only going to be as fast as you push yourself to be, and you're not going to push yourself from a 15mph rider to a 25mph rider by sheer will with one race in the local Wednesday Night Criterium.  It's not going to happen, you're going to be sorely disappointed as you're blown off the back.

Unless you have the mental focus of a pro and can sit on a trainer and do 2-3 hour block training sessions, which I don't, the best way to do this is to find a group that is beyond your athletic abilities.

Twice a week, that's precisely what I do.  I join riders that are clearly head an shoulders above my capabilities, and I turn myself inside out trying to keep up.  Sometimes I do; sometimes I don't.  I always get a great workout, and I feel better for it.

Note: No judgment here.  If your goal is to ride 12mph to the next donut stand, please and by all means attend the local coffee and donut ride.  Just don't complain if you're dropped at the next 15mph club ride.

Attack Early.  Attack Often.

Naturally, know the rules before you do this.  Club and group rides don't always take well to the incessant attacks; others, however, are motivated by them.

Races - well, anything goes.

Remember that there's no harm in blowing up on a club or group ride; more, it's an opportunity to learn how your body handles over-exertion, what you can do when you've blown up, and how you can recover and possibly still have a chance of keeping up.

In short, blowing up is good on a group ride.  Build matches, have a bigger matchbook for when you need it.

I love riding this way, and I know a great number of people who love me, and love to hate me, for it.  I'm famous for my mile-9 attacks, my attacks that happen just as I get fully warmed up and feel a little spritely.  I'm also well-known for taking advantage of every opportunity.  I don't care for pack riding, and I really don't like pack finishes.  That means I'll use a lot of wick trying to cut the risk; whenever I have the legs, I'm looking for an opportunity.

As I watch our local races, as I look back for the pack (or my teammates) as I'm trying to make a break, I can get frustrated at the lack of response.  Attacks hurt, absolutely, but the break is where all the fun is at, and breaks don't happen without a little pain.  Go and make it happen.

As for tonight, my ride is a nice and easy pace with a great group from a local shop.  I'm still recovering from the attacks on my last ride, I'll let the other dogs play tonight.

Still Here...

It's been a crazy few weeks.

(Now that I look, it's been almost a month.  That tells you a little about how crazy it's been.)

Sadly, nothing interesting to write about from any of it, either; just life getting in the way.  It even got to the point that I didn't shave, neither face nor legs.  Face is ok, if anything I like the stubbly look; leg stubble, however, just makes me feel dirty.  I was much happier when I was able to take care of that.

Not sure I'm turning the corner quite yet, but I'm hopeful that I can find some time to write a bit more.  I've some ideas stewing, they'll need to get out eventually.

Of course, hope is not a method.  I'll just hope I'll be lucky instead.

I'll write more soon!

The Rules...and Life

No matter how you feel about them, The Rules have some truths about cycling, and life, worthy of consideration.  I'll admit, I don't follow all the rules, I am not a Velominatus, but I do subscribe to some of the ideals that it represents, both on the bike and off.

When you look at the real intent of the rules, you see it's really about being committed.  In cycling, there's a certain aura, even mystique, to being a roadie; reading these rules you can see that.  From color matching on the bike and color-coordination in the kit (clothes), to well-tended tan lines, using kilometers (instead of miles), and only allowing espresso and macchiato (instead of coffee or lattes).

I also suppose you're only allowed to take dainty sips from white china with your pinkie finger out while holding the tea plate in your other hand underneath.

I suppose it's ok to use plastic if you're on the team bus prepping for the next stage.

Side note, if you ride / race and don't drink coffee, 1) more power to you; and, 2) you should.

Deep down, the rules aren't just about cycling; they're about life.

As the Rules say...
...it's all about looks.  Appearance is everything in road cycling, and many roadies will quickly rate those around them by how closely others tend to their appearance; the better kept a cyclist is, the more they follow the written and unwritten rules of form and fit, the more respect they get.

Rule 7: Tan lines should be cultivated and kept razor sharp.

The ring of lighter-colored skin above the deeply-set tan earned through hundreds of hours outdoors on the bike: it's unattractive, and looks unkempt.

This can be hard, even for people like me, as kit can vary in fit, but there's also a practical reason to keep tan lines sharp: burns.  There's nothing worse than having a perfect tan line at the bottom of the shorts with a quarter-inch burn ring just above it.  It hurts, and it looks terrible.

Rule 8: Saddles, bars, and tires shall be carefully matched.

Isn't she beautiful?

I cringe whenever I see a bike with different color tires, wheels that don't match or are the wrong color for the frame or tires, bright bar tape that doesn't match the palette of the frame.  It's like seeing a car with different wheels on it; the owner simply doesn't keep up with maintenance or doesn't pay attention to details.

Rule 33: Shave your guns.

Let's be honest: there's always tells; at a bicycle ride hairy legs is one of them.  I'll be the first to admit there are some strong, talented, hairy-legged (ew) people out there; I didn't shave my legs until I finally got serious enough to buy a real bicycle, and that was only 3 years ago.  But, in general, hairy legs means quick dismissal.

Rule 53: Keep your kit clean and new.

This really speaks for itself.  Dirty clothes are dirty (and look dirty).  Clothes wear out.  Don't let your inability to maintain a wardrobe result in you looking sloppy.

Looking Pretty.

On the surface these rules can seem unfair, and even a little bit prejudiced.  By my experience, however, it's also generally true: you can judge a cycling book by its cover.

The rule really is this: always look better than you have to.  Cyclists may take this in a certain direction, setting specific rules to maintain a mystique, but in the end it's really about representing yourself in the most positive light.

Whether it's mismatched kit or a novice-level knot on a tie, never forget that appearances count.  Look good, and you'll be received well.  Look good, and you may have the opportunity to do well.


Another aspect of the rules...
...is about being a positive contributor.  Cycling, and life, is full of people who don't contribute, don't bring light to the life around them.

Rule 67: Do your time in the wind.

No cyclist likes wheelsuckers, people who use the draft solely to their benefit without making a contribution.  Cyclists especially detest wheelsuckers who do so then take off in the dwindling miles to leave behind the people who did all the work.

We all know wheelsuckers, people who only work to grab the coattails of someone else's successes.  We even know a few who have made an art of sprinting ahead of hard working people to claim completion and credit.

Earn what you receive.  Do your time in the wind.

Rule 19: Introduce yourself

Although this is a little about networking, it's a little more about joining existing social networks.  Joining an existing club ride can be very daunting, especially for a new cyclist; and even for veteran riders there's plenty of pitfalls.

Take the time to introduce yourself.  Learn who the group is, and who the primary people are - who the leaders are.  Learn the rules, and follow them.

Rule 43: Don't be a jackass

As a common group, cyclists share a common perception from others.  It's absolutely critical that we think of what our actions may mean for the greater community.  What we do could come around to haunt someone else, whether it's immediate response to something we do or adding to pent-up emotion that results in someone's action later.

This is true in all things.  Be respectful of those around us, treat people fairly - as they would want to be treated.  Earn karma, and help others pass it along.


Finally, the last bit of advice from the Rules...
...is about commitment and dedication.  Like in life, cycling will only give what you put in, and sometimes you have to put in a hell of a lot more than you're going to get out - pay it forward.

Rule 10: It never gets easier, you just go faster.

Training to get faster, to get stronger, never gets easier; in fact, the effort and regiment necessary to gain becomes greater and greater as your capability grows.  You may get out of training what you put in, but the returns decrease over time - faster by smaller and smaller increments.

You have to build a system in which to grow, and you have to dedicate to that system in order to get anything out of it.  Life never gets easier, you just gain more experience and knowledge to deal with it.

Climbing a hill is like wrestling a gorilla.  You don't stop when you get tired.  You stop when the gorilla gets tired.

Rule 9: If you're out riding in bad weather, it means you're a badass.  Period.

Riding in the cold, wind, rain, snow (or some combination) is the sign of insanity - or complete dedication.  It's not about passion, it's about commitment.

A rainy 42F in February, and we're racing

Such as it is in life.  It's not always bright skies, warm days, light winds; more often than not life throws in a challenge we must surmount.  Whether it's 100F+ temperatures, 30mph winds, or changes at home or at work that rock the boat of our lives, it's those that get out there with a smile and dedication to move forward that will ultimately gain and grow for the experience.

Rule 93: Descents are not for recovery.  Recovery Ales are for recovery.

Reaching a peak doesn't mean the end of the road (except in mountaintop finishes, but even then typically the race goes on the next day).  The race continues, and the descent off the top is no time to stop putting in the effort to stay ahead of the pace.

Success starts early, even immediately following success.  Don't relax; use each pinnacle to drive for more, perhaps higher opportunities.  There will be time to recover and prepare for the next chase, be sure to wait until that opportunity comes before starting to relax.

Rule 64: Cornering confidence increases with time and experience:
This pattern continues until it falls sharply and suddenly.

Falling on a bicycle sucks, well and truly, and nothing does more to shatter riding confidence than to have a major wreck.  Unfortunately, they happen, sometimes because of our own confidence, and sometimes because the world is a difficult place.

...and this is going to suck.

We all suffer failures, on the bike as well as the lesser parts of life.  Physical wounds from these failures take time to heal; challenging ourselves to outperform our past will help heal our mental injuries, and only through that will we begin again to gain and grow.

Rule 5: Harden the F**k up (HTFU)

Cycling is hard.  You're in a pack, halfway up a climb.  45 miles in, 17 to go.  The pace has been brutal, and even now the tempo is painful as you work the sustained 8% grade.  Your legs are screaming so loud you can't hear your own breathing over the sound.

Through the fog...you see it.  The head flick.  The glance over the shoulder.  Then it happens, someone attacks.  A moment passes, then someone chases.  From within the oxygen-deprived, heart-pounding, lactic acid-fueled haze, the voice: chase, or lose.

This is absolutely not about "getting over it."  You don't get over it, but you do have to bear it.

Opportunities don't only come when you're prepared to chase them.  Sometimes you have to grit your teeth and work through the pain of failure, loss, and hard work to grab on to something truly valuable.

Life is hard.  You just need to be harder.

But, really, it comes does to one thing in the end:

It doesn't matter how fast you go...you must never give up.

Progress is progress.  I've hit the wall so hard I could barely balance on the bike for how slow I was moving; many of us have.  We just have to keep going and we'll eventually get there - where ever there may be.

And that's how it is.  You don't have to chase every break, you don't have to always be at your best.  You don't always have to be primped and polished, and you don't always have to have a smile on your face.

You do have to keep moving.  It's only through that effort that you'll find yourself in a different, hopefully better place.

And remember Rule 4: It's all about the bike.

Focus on Fundamentals

Ok.  Let's face it.  The fundamentals are hard.  They're also boring.

They're also fundamental; they're the foundation.  Nothing can survive (long) without a foundation, and success will ultimately be limited by the limitations of the foundation on which that success is built.

In bicycling, our foundation is called the "base".  Base is earned through long miles in the saddle riding at a consistent and moderate pace, repeated over and over.  The typical training plan has 2-3 months of this stuff, mile after mind-numbing mile, as much as 3-4 days a week, with length based on how long races will be later in the year.  60 mile races?  4+ hours on the bike getting in base.

So, yeah, it's hard, and it's boring.

Bicycling, and Information Security, are both like building a pyramid.  If you want to go faster, ride longer, you need to build a wider base first.  You need a solid foundation, one that will support you when the time comes to drive a break 70 miles into a 100 mile race.

Information Security is the same.  If you want to deliver better protection, higher capability, you need to ensure you have a complete and supporting foundation - fundamentals.  If there's cracks or missing sections, there's room for the whole system to collapse under the weight of the stacked stones.

That raises the (obvious) question: what is fundamental to information security?  You have to have Anti-Malware.  And a Firewall.  Mix in some Intrusion Detection, log analysis.

Fact: none of those are fundamental.

Seriously.  You don't need this.

Put down the pitchforks for a moment.  Use of technologies like these are absolutely required, they just don't make up the foundation of a solid information security program.

So what does?

The National Institute for Standards and Technology (NIST) has put together some excellent documentation about managing information technology and information security.  One of their recent products is the CyberSecurity Framework, a product that provides a clear and executable map to measuring information security risk in a practical and illustrative way.

One of the key components of NIST's model is the list of core functions: Identify, Protect, Detect, Respond, Recover.

The Sequence of Core Functions - Each Drives the Next

These are sequential risk-reduction, information security management functions.  Investment only provides mitigation to the right, such investment is best served further to the left.  That means your foundation is the item to the left: Identify.

You can only act on what you've delivered.

Stealing liberally from NIST's documentation, this is what Identify means:

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

Understanding is fundamental to information security, the level of understanding is the ceiling for any information security program.  And understanding is hard, we always want to fast forward past it to get on to the sexy part of information security (if such a thing exists).

But you cannot secure that which you do not understand.  So let's dive in:


Understand Business Strategy

Information Security cannot operate without alignment with business purpose and strategy.  Use this knowledge to capture (or develop) a list of Threats that apply to the business model, vulnerabilities of the business based on the line of work, then cross to find enterprise class risks.  It is here that technology and information risks can be latched.

This is where we'd capture "Risk Tolerance", and a good place for a short soap box.  Risk tolerance should be a dying term as it's typically used in place of "willing ignorance": a willingness to accept risk due to perception the risks can't manifest (i.e., don't apply).  Risk tolerance should be a business case, financial-driven decision based on potential losses and impact of manifest risk.  But I digress.

This is where the information security program will take root and where it'll find reliance and support as it delivers business cases for risk reduction; the Why of Information Security.


Establish Management Intent

Utilize the knowledge generated in understanding the business strategy to establish over-arching management intent.  This starts with the Security Policy; the policies, procedures, and standards designed to deliver controls that orient to the risks the organization faces. 

The quickest, easiest way to establish intent is to select a control framework and write it into Policy and Procedure.  This becomes a simple process of selecting controls that relate to the risk posture of the company, setting standards within those controls according to the level of risk, and establishing metrics and measurements to enable assessment of compliance to controls.

Intent should also integrate Information Security into other organizations, enabling upstream and downstream delivery of controls throughout the organization.  Information Security has cross-organizational concerns in Vendor Management, Human Resources Management, among others.

The intent of Intent is to establish the rules for how security will operate, aligned to the risks and strategies of the company; the How of Information Security.


Capture Inventory

This isn't a real Datacenter.

This is where the rubber meets the road in the statement "you cannot secure that which you do not understand."  In practical terms, this inventory is the list of stuff that needs to be protected.  There's a lot to think about, but they fall into a few broad categories with the depth of detail driving the maturity of downstream controls.  This is the "What" of Information Security.

Design and Architecture Assets: Network and system diagrams, the "as-built" for the technology system as a whole.

Physical Assets:  There are the traditional technology devices with a few added items.  Servers, laptops, mobile devices, printers, network equipment, security equipment.  Each should be uniquely identified via some electronic means, each should have pertinent information such as responsible part, purpose, and similar.

Service Assets: These are the delivered technologies supporting business functions, such as the HRMS, FMS, ERP, along with smaller services such as Reporting, Project Management, and other solutions.  These should have owning business organizations and/or responsible individuals associated to each.

Integration Assets: Flow diagrams showing the movement of information between services (information systems) and the relationships of business processes to information flow.

Software Assets: The list of approved operating systems and software packages utilized on the environment.

Information Assets: The types of information utilized and where they are intended to be located with owning business organization and/or responsible individuals.

Identity Assets: The complete list of individuals who should have some level of access to the technology systems with information on their role and area of responsibilities.

Access Control Assets: The complete list of defined access credentials for each service and system, and a complete list of the roles and privileges provided within each.

(It's hopeful, and hopefully likely, that the Identity and Access assets are already linked; else, this is low hanging fruit.  Get it done.)

Threats and Vulnerabilities: The last two are a little less palpable but no less important, the list of Threats and Vulnerabilities within the organization.  These are necessary to create a risk profile for the assets inventoried above, enabling decisions on how to deliver protection, detection, response, and recovery in appropriate measure.

Threat Inventory: A list of known potential sources of impact to the organization's technology systems.  This list should be based on the inventory generated above; i.e., threats that are specific to the technologies and services being consumed; and based on how the business is operated, linking threats to parties that may be interested in disrupting the services provided, such as organized crime for retail.

Vulnerability Inventory: A list of known vulnerabilities within the environment.  This should be developed by both technology (scanning) and research, and contain vulnerabilities that impact information security and the application of controls over technology such as environmental and human influences.


It is all about the fundamentals; it's not possible to implement an information security program without having a strong grasp on what needs to be secured, why it needs to be secured, and how it should be secured.  The Identification process provides the knowledge needed to define the necessary technical and procedural mechanisms of information security.

Sorry.  Obligatory.

Without having a solid foundation, vulnerability manifests in cracks, eventually manifesting as failure in controls and, possibly, failure in the information security program.

Sometimes in spectacular fashion.  The pyramid comes crashing down because of a single failed stone.

The investment in time in fundamentals will lead to a more successful program.  Take the time to figure out the gaps, act on them, and the program will be better for it.