Wednesday, May 28, 2014

Fatigue vs. Burnout

I'm tired.

This past Saturday morning, like many Saturdays here in Texas, presented the opportunity to ride in a bicycle rally.  These are organized, pay-to-ride events with rest stops, support vehicles, and law enforcement protection, put on to benefit a non-profit or another organization beneficial to society.

(They're also called T-Shirt Rides because they always give away T-Shirts printed with the event name, logo, and sponsors.  I have a ton of T-Shirts from these events.)

Not to say I ever stop on these rides, nor do most of the people I ride with.  For us, it's a race, but lacking prizes or any sanctioning.  A somewhat dangerous, disorganized race.

And I was tired.  My legs felt like blocks, my heart rate would skyrocket at every moderate effort, and my stomach would turn if I burned the wick too long.

To explain, I have to go back a few more days.  Last Saturday I raced in two circuit races (which I didn't win), and by the end of the second race my legs were shot.  Not wise enough to rest, I rode trails on Sunday, another 2 hours on the bike.  Still not resting, I did hill repeats on Monday, which are about as fun as they sound.

(If you're from a hilly / mountainous area and have been to North Texas, you're chuckling at the phrase "Hill Repeats".  Trust me, you'd not be chuckling after you did a few of them with me, despite the short length of the climb.)

After that my legs were really screaming.  I knew I was in trouble, so I took two days off, then went on a group ride on Thursday planning to take it easy.  Or not, as I once again poured what little I had left out on the pedals.  Wisely, I rested Friday.

So we're at the local rally on a perfect Saturday morning, I'm lined up at the front with 1000+ riders behind me.  Most are recreational riders, but there's a small spattering of ridiculously fast racers.  I felt the twinge of lingering fatigue in my legs, but hoped it would burn off after warming up.

Sadly, that wasn't to be the case.  I was on the ropes within 10 miles and never really was able to get myself put together.  I was a non-factor at the end of the ride.

So, yeah.  I'm tired.  I still want to ride, but I just have little more I can give.

Once I've hit this point, where deep fatigue sets in, I have to lay off the bike for a bit.  It's like all things.  Once we hit our limit, we have to dial it back or risk something more than simple fatigue.  We risk getting sick; getting moody and irritable.

We risk burnout.

Fatigue is a funny thing.  It's not necessary tired in a physical, or even mental sense.  It can be the wearing down of interest - we can become tired of watching the same TV show, eating the same food all the time, or playing the same games.  We get tired of our commutes, and we certainly get tired of our jobs.

We can burn out on all of those, fun or not.  I try to avoid burning out on bicycling, while I'm not always successful I've found ways to help reduce the chances.

Know my limits.
I listen to my body and mind, I try to hear the signals when I'm getting worn down.  It could be the immediate acid feel in my legs when I push, or the irritation at little things while on the bike.  If I'm too tired to perform at the level I want, frustration can build.

It need not be my well being, but how the environment affects me: heat takes away my mental focus - motivation - at an incredible rate.  Lack of sleep has a profound impact on my desire to ride in general (and is the primary reason I have stopped riding in 24 hour races).  I am very sensitive to these limits about myself and strive to stay within them.

Mix it up.
About a year ago I hit the motivation wall.  I had zero interest in the bike.  I would ride, come back frustrated and disinterested.  I'd take a week off, but it wouldn't change.  2 weeks off.  3 weeks off.

I dusted off my old mountain bike and did a trail ride.  And absolutely stunk.  So I did it again.  And stunk.  Again, and stunk, but a little less.  I started to ride again.

I find new and different things to do.  New routes, new groups.  New intervals, new riding styles.  I don't get stuck in a rut; I take advantage of different opportunities, I thrive on them, and I create diversity when I need something completely different.

Take breaks.
No matter how much I mix it up, there will be times when I simply lack the fortitude to ride another mile.  This is really hard for me, I have very poor throttle control when I'm on the bike; but, since I know that, I know a break for me is completely off the bike or scheduling rides with people who are much slower than I am.

I've realized I'm at my limit now, so I'm taking a full 4 days off before my next event.

It helps to remember that you only get faster when you take the time to recover.

Have purpose.  (Or) Set (good) goals.
Motivation comes from having a reason to do what you're doing.  There is only one reason someone would ride their bicycle in North Texas in July afternoon 110F heat: they have something they are trying to accomplish.

For me, it's not some grandiose, over-the-top goal (although some would disagree).  I have a simple goal: podium in the 6 hour race this weekend (see? not grandiose).  My riding goals typically range week-to-week ("win" this week's rally), punctuated with targeted events (win a specific race).  Last year at this time my mid-range goal was to place in the Hotter than Hell 35+ 4/5 race and my long-range goal was to upgrade to Category 3.

I find myself in no-man's land now as I accomplished both of those goals and haven't committed to a new long-range goal.  I'm happy with that, which is why I suggested goals be "Good".

Change what I can, accept what I cannot.
The Serenity Prayer.

There are plenty of things that present opportunities for stress.  Rain when I want to do trails, the weekend before a major trail event.  Heavy traffic.  Rough road surfaces.  Flat tires.  Summertime heat.

Or maybe my own limitations.  Tired legs on a rally day.  Getting dropped by faster riders.

I know what I can change and decide if I'm going to; and I know what I can't change and I work around it or let it go.   I strive to prevent stress from becoming frustration.

Have FUN.
This is the perfect guide to end on.  I sincerely believe that everything I do should be fun, even when it's work.  Make no mistake.  I work on the bike, I work as hard on the bike as I do at home, at work, and every other place.

I ride because I enjoy riding.  I work because I enjoy working and the work I do.  Whether it's driving the pace in an aggressive group, or a relaxing pace on a sunny morning with my son, I'm having fun.  The moment it stops being fun is the moment I stop, just as I did when I lost motivation in early 2013.

So, I'm tired...

...but I'm taking a break, my legs slowly recovering.  I've set goals for this weekend and sincerely believe I can accomplish them.

And I'm just not going to worry about all the other stuff that really doesn't matter.  Soon enough, it'll just be me and my bike.

Soon enough.

Friday, May 23, 2014

Lessons from the Dirt

I'm roadie.

I typically ride a road bicycle, the kind everyone knows; the kind with curly handlebars, the kind ridden by (stereo-typically - and fortunately changing) colorful Lycra-wearing skinny guys wearing helmets and reflective sunglasses.

I also happen to be a skinny guy, and I am frequently found in colorful (red, white, and blue) kit, wearing a well-ventilated helmet and reflective sunglasses.  Virtually indistinguishable from the masses, at least for the outsider.  

All you cyclists look alike!
What may come as a surprise to many is that I also get dirty: I ride the trails.  

Even more surprising:  I like to ride fast on the trails.  I like to push the limits.

There's so much to love.  I love the grinding crunch tires make grabbing onto a loose trail as weight transitions from side to side through fast sweepers; the thrill of feeling the rear end slide slightly in a corner, suddenly hooking up with a hard push of a pedal to thrust the bike forward; feeling trees tap the back of my shoulder as I twist my body around them to squeak every inch of speed.

I can't do this...but I'd love to.

Clearly I take a fair amount of risk.  It's calculated risk, trained risk, but risk all the same.  I know nature will win if I come into contact with her.  I know which trees I've hit but you'd never be able to tell.

We, as humans, are really good at recognizing risk when it's up close and personal.  We'll smoke a cigarette or eat a double cheeseburger and fries, but we're ready to run like hell when something moves in the bushes behind us.

Make no mistake.  I recognize the risk of every treegate, every rock garden; I recognize the risk in a visceral way, and I've bailed on even simple terrain features because my confidence (risk tolerance) plummeted.

I manage my risk.  I get good, grippy tires.  I have a well set-up, full suspension mountain bike.  I wear full-finger gloves.  I wear a helmet.  I wear (sun)glasses.  I maintain my bicycle, and I check over all my equipment before every ride.

I don't over-ride new trails.  (Usually.)

We all do this.  We manage risk every day.  I just happen to do it as a job: I manage information security risk.

It's hard, and my trail riding is a great example of why.

When presented a choice laden with risky options, the sense of control over that choice can give a sense of control over the results.  In other words, by deciding to take a risk, I'm also control if the risk will manifest.

I decide to aggressively ride trails, so I'm not as likely to wreck.  Worse, while the precautions I take may give some mitigation, I over-estimate their effect.

What is more challenging is that risk that is not clear and present is harder to for us to respond to.  As I ride along a cliff edge I'm extremely cautious and ride slowly - the risk is visceral, and has a visceral response.  As I ride on a trail that could have cliffsides on it, I ride faster.  Until I see the cliff before me, I'm less likely to consider the risk I'm creating by taking less care to manage my speed and control.

It's even worse with things like eating unhealthy food.  The effect of eating a fat-laden cheeseburger is far off, occurs incrementally, and is countered by the initial benefit the burger provides.
Sorry, Sonic, but this turns my stomach.

Intellectually, this is incredibly frustrating.  We're fighting the built-in human instinct to worry about what matters now as we try to illustrate the risk of the future.  Many executives are watching dollars, it's a struggle to make an investment in something that doesn't address an immediate concern.  We even have a term for people who can do this: visionary.  A great example is employee pay in retail; paying employees better results in a cleaner, better organized store, with better customer service and better sales outcomes.

I'm a loyal Costco customer (and a former Costco employee).  Costco treats its employees very well, and is exceptionally profitable.  I simply cannot understand why other companies don't make these investments.

I digress slightly to make a point.  If such a decision that drives directly to the bottom line is resisted, our plight in Information Security is tenfold.  We're not adding to the top line like Costco, we're preventing loss at the bottom line.

Our world plays out like this:  We create elaborate risk charts.  We budget for contingency action after an event.  We document impact of fines, legal expenses.  We estimate collateral damage to brand.  We get a sympathetic audience, but we see only incremental change.

Then it happens.  Target.  Epsilon.  South Carolina.  Risk manifests, and everyone wants to know "can it happen to us?"  This is the Nuclear Power Plant of risk, one melts down and suddenly everyone wants to shut down their local plant or move away.  If you're at one of these, or other, organizations, your security budget exploded.  For the rest of us, nod your head with me: I've used these events to illustrate the information security risk we take.

We made the risk real.

So I hit a the tree.  Why?  Did the front tire wash out?  Did the suspension rebound too quickly?  Too slowly?  Not enough damper?  We present technical solutions to drive risk out of the system.

Or was I simply riding too fast?  The human is the root of most of our risk, whether it's not knowing there's a proverbial cliff behind a link in their e-mail, or cutting corners in the implementation or use of technology preventing them from seeing the tree before we hit it.

As for me, I was probably just riding too fast.  I'll learn my least until I've recovered, then I'll do it all over again.

(I'm sure there's a few of you that didn't feel a need to ask for investment after a major security event.  I would love to hear your stories - how did you get the support you needed to be fully invested in information security without having the driver of manifest risk across the street?)

Tuesday, May 20, 2014

Winning...or Not

This may come as a surprise, but I don't watch televised bicycle racing.  (That's a story for another time.)

Needless to say, I haven't been watching the 2014 Amgen Tour of California; heck, I was only vaguely aware that it was happening.  (I saw it on USA Cycling's website - I didn't qualify to register.  Surprise.)  But, interestingly, I know exactly how this guy feels:

Credit: The Daily Mail
No, he didn't win.  Neither did I.

You see, our team raced this past weekend, a full day of racing at Texas Motor Speedway.  We fielded the largest team we've ever had at a single event, 11 racers, covering every single race save one.  (That's when we ate lunch.)

Despite the large team, overwhelming odds in a couple events, and some strong and very successful racers, we didn't place very well.  Clearly, this wasn't our weekend.

Although many of my teammates had good reasons for their placement, I did not.  I had registered for the Masters 40+ race, a category filled to the brim with talent with accents from maturing Pro/1/2 racers that are still ridiculously fast and quite competitive in their skill category.

This race was no different.  Ridiculously fast, smooth as silk, flowing like water.  25.3mph average on a circuit race with 2 tight corners.  It was quite calm, no major attacks as the storm of the faster category was to follow our race; most of the faster riders were saving their matches for the big purse in the next race.  I was able to easily move around the pack, taking good positions so in the event an attack did happen I could bridge up and try to play with the big boys.

The time dwindles away, I'm watching the officials count down the laps, carefully counting the fingers as we roll by.  Three fingers.  Then two.

We pass the line, officials holding up one finger.  No bell, strange.  I'm in the middle of the pack.  I figure I just can't hear it over the whoosh of the headwind blowing down the front straight and the sound of fast-moving carbon wheels over smooth asphalt.

Halfway through the lap, an escapee!  I move up the pack, looking to see if I can catch a wheel to bridge up and evaluating if the racer stands a chance.  He's slowly walking away, looks good.

Another escapee!  He came from the left, I was on the right and didn't have an opening.  I move to the front 1/4 and take an aggressive position with open air in front of me, watching the duo.  The second rider looks a bit worn, catching the leader as they head into the second tight corner on the course.  The pack accelerates, then slows to take the tight corner.

I take a wide line, braving open air to try to keep my speed up.  I exit the corner with a big speed advantage, stand and launch from the pack.  A couple racers try to catch the wheel, but the delta was big enough that they fell back into the rapidly accelerating pack.

I make the catch.  The second racer is already falling off, the first escapee is pulling strong.  I take his wheel and find the draft to recover for a moment.  We're in the last, long sweeping corner leading to the start finish, it opens up to the front straight.  I see the start-finish.

Wait...wait...GO.  I launch, sprinting toward the line.  I break away from the other escaping rider and make a huge gap *ding* on the chasing, still-accelerating *ding* pack, crossing the line with a large gap *ding* on the pack.


I cross the line as the signal from my ears is finally interpreted by my oxygen-deprived brain.

*DING* Is that the bell?

What I said next I cannot put here.  I spend the (real) last lap on the rivets, cursing myself violently for such a mistake.  My mood is colored by it for the rest of the day, brightened only slightly by a 10th place finish in a race that afternoon.

So, when I learn that Eloy Teruel did the exact same thing, I'm heartened.  A little.  A little proof that bone-headed mistakes happen to everyone, from amateurs like me to pros like Eloy.

Thank you, Eloy.  I'd never heard of you before, but, today, you're my hero.

(Until I make another bone-headed mistake.)

Friday, May 16, 2014

Avoiding Hyperbole

Yes.  I heard about Target.

It happens every time.  Something big happens.  The news outlets turn on the bullhorn.  Affected constituents (customers) drive the furor.  Punditry on the event and effects.

Someone asks me about it on our group ride, expecting a reaction in line with what they've seen in the news.  Hyperbole, exaggeration, sky-is-falling.

(Heartbleed was probably a rare understatement of the risks.)

As an information security professional, I seize these moments to drive attention to the risks every company has when it dabbles in technology.  These moments provide a unique opportunity to add a little more darkness, a little more creaking wood and whistling wind to resident fears.

"Could it happen to us?"  Yes.  (Intellectually inaccurate, but too deep for the moment.)

"What should we do about it?"  I'm glad you asked.

This is where the conversation would typically flow toward talking about dollars, gee-wiz technologies with brilliantly flashing LEDs, all resulting in the constant whirr of user hard drives, CPUs sweating as cooling fans desperately try to overcome the heat of constant workload.

But that's not where this conversation goes.  Yes, I need money for my security program.  Everyone does.  I have another avenue I need to pursue first.

Security in our technological environment is like controlling a swimming pool.  We work very hard to maintain it, but we're constantly struggling with algae, PH levels, crap dropping from trees or deposited by wind.  Let alone the people who use it; they're the worst thing that a pool could ever experience.  Sweaty, suntan-lotion covered, beer (margarita!) drinking, swimmy-wearing people.

We put up fences to keep undesirable people out.  We have water surface alarms to warn us when the kid, the dog, (or a stranger) tries to take a dip without our knowledge.  We even have heaters and coolers.  Or wondrous, LED-filled technologies; automated pool management systems that keep water temperature just so, keep PH in range, automatically turn on lights; it even alerts me when anything is out of line.

Of course, if I can't do the fundamentals, if I can't keep water levels up, if I can't keep the chlorine basket filled, if I can't consistently empty the filter, I'll eventually turn off the pool automation alerts.

Sound familiar?

I want consistency in controls.  I control where the refill water comes from, the same way every time.  I control who can use my pool, and what they have to do before entering.  And, no, there's just no peeing in my pool.  Even in the shallow end.

Security is like that swimming pool.  Simply put, your pool is only as good as the worst part of it.  Try leaving a section of algae in your pool next time, see how that works for you.

Verizon has great charts describing how breaches occur, and those datapoints are incredibly important.  Knowing where the vulnerability manifests, critically important.  Just don't turn them into a game of whack-a-mole.

The real lesson from Target is that controls must be consistent in order to be effective.  Leave aside all the discussion about ignored warnings, missed opportunities; ask yourself these questions:

Why was a critical, protected infrastructure accessible from common, low(er) security networks?

Why was a third party, any third party, connected into a company network without documentation; worse, lacking separation from general corporate systems, let alone critical infrastructure?

What are the core security competencies, the core controls in alignment with business risk necessary to protect the operations of the company?

And, root cause for Target: Why wasn't there a single point of authority over all information security to serve as the foundation for application of standards and compliance?

Target's CEO's departure is the final nail, and with due respect a righteous kill.  Management never had intent to implement solid security controls, and such never named an individual to have ultimate responsibility for those controls.

There's my message.  No, Target can't happen here.  you, Mr(s). Executive, express management intent to maintain security - which is why I'm here.  I intend, first and foremost, to be solid in the basics; to do the basics consistently flawlessly.  Your intent to support that mission is imperative.  We'll talk more when, with your support, I've driven the risk out of the fundamentals.

And, yes, I'll need money to do it.  We need to know there isn't a peeing section in our pool.

Thursday, May 15, 2014

Rain and Change

We got some rain.

We need it.  I really shouldn't complain.  We've been in the midst of a worsening drought, our regional lakes are 10' or more below pool.  The region is in varying levels of mandatory water conservation, and many counties have burn bans due to tinder-dry conditions.

So, I shouldn't complain.

One of the hardest things about road cycling is the monotony of the road itself.  If you ride alone, you're left to your thoughts.  Some days I can keep them pushed back, I can enjoy the bike, and enjoy the ride (or enjoy the suffering I had planned); other days life's daily trials, the stress of living, dominates my consciousness and it's all I can do not to turn around and go home.

I don't ride road solo much anymore.  I find I really can't, I find that the churning in my head leaves little will for burning in my legs or gasping in my lungs, let alone the buzz of traffic or the bumping of typical country Texas roads (still with the occasional traffic).  As summer comes, the heat will serve to further drain away desire.

I shouldn't complain.

Flashback - a cold February 2013, and I had no desire to ride.  None.  I would come up with reasons to skip rides, none good but they always worked.  Without the outlet, I was a strain on my family, my coworkers.  One day, on a whim, I wheel out my old Trek hardtail and hit a local trail.  It hurt.  A lot.  And despite skipping every remotely technical section, I couldn't complete the bunny hill trail without stopping.  I sucked.

But I was hooked.  I beat myself to a pulp, pushed my capabilities to the limit.  A month later I'm in my local bicycle shop (LBS) buying a full suspension Rocky Mountain (because we all know it's about the equipment).  Another two months and I'm riding in a 4-man team at 24 Hours in the Canyon in Palo Duro Canyon.  I was over my head, but my goodness I was having fun.  In between (and despite) tree sideswipes, washouts, crashes, and bruises, I was having fun.

Today, I shouldn't complain about getting rain.  But I'm thinking about it.

Sometimes, it's "when the going gets tough, the tough get going."  That applies so very well to training; if you don't commit to the challenge, you'll never reap the rewards.  You can only get stronger by doing what you're weak at.  Other times, it's about change; maybe you need to stop being a road bicycle primadonna and get a little dirty on the MTB.

So while I am in need of change, we got rain.  I'm trying not to complain, but the trails are closed.

It's almost a metaphor for life.  We become settled, consistent, we train ourselves to live expertly, but only within the confines of the world we've carved out for ourselves.  We become comfortable; but familiarity can be restless and even unhappy.  When it rains, we look for change but can't find a path that is open for us.

It's that very rain that allows those paths to exist in the first place.  I'm not going to complain.  The sun is out.  The sky is clear, springlike blue.  There's a breeze through the leaves.  In time, a trail will open, and I'll seize the opportunity for change.  I can wait for that new trail.

For now, I think I'll grab my bicycle and hit the road.

Tuesday, May 13, 2014

On Intent

My first blog, my first post.

I've intended to start a blog for a long time, but I always found a way or reason not to do it.  I can be easily derailed; the last stutter before I started this blog was whether I would compose under a pseudonym or my real name.  I believe what I say, and such intend to be open and public about my thoughts; yet, as you can see, I decided not to follow my intent and have gone somewhat incognito.

Before that it was the decision which blog service to use.  I intend to use easiest to access, easiest to use service; instead, I found that Google had a blog engine and just ran with that.  Naturally, that means if you hunt around enough on Google+, you'll find me.

I intend to also make everything easy, which by my nature makes it all difficult at the same time.

I guess I live intentionally; to coin a phrase.  Sometimes I live intentionally to do what I intend; other times I intend to not to what I intended, break the mold and live outside what I would expect of myself.  All that means is that when I get outside the box I'm still walking familiar paths.  I'm still in the box.

Much of my life is spent in the idea of "intent".  The work I do can be described as "setting intent", the concept that I describe the attainment of certain, high level organizational goals, guiding the activities, means, and methods in accomplishing those goals.

I also measure (read: police) our attainment of those goals, but that's a conversation for another time.

The idea of organizational intent, leadership intent, is a powerful one.  Simple statements made in a single breath by someone with positional authority becomes work responsibilities for a team of staff.  Intent sets the stage for everything; it puts the focus on what is important, and de-emphasizes what isn't.  It tells us where we're going, why we're going, what we're going to, and how we're getting there.

Who: those dedicated to setting and achieving that intent.  Are you in?

Intent is powerful.  It provides meaning, purpose, it gives definition to what we do and understanding to why we do it.  And it applies everywhere.  I am an avid bicyclist; I intend to be faster than I am today, stronger than I am today.  That intent drives me, sometimes even consuming me.  I am unwilling to accept my limitations.  I am unwilling to live within the confines of my current abilities.  I intend to break through; get a few more seconds on the rivets before I pop (and then a few more); get a few more watts out of tired legs; stay on the wheel of that competitive racer for just a few more pedal strokes.

Intent is powerful.  It's also dangerous.

All too often, we fail to set or properly describe our intent.  We never know what we're trying to accomplish.  We never know what we need to accomplish it.  We never know how to get help, and others don't know what we're doing to offer to help.  Rudderless and windless.

When we set intent, we still must be intentional about it.  Intent is directive: it can be collaborative, engaging, community; or it can be individual, solitary; but must be a decision, and it must be action.  Intent is worthless when there is no decision to act; nothing accomplished, frustration results.

Spirits fly on dangerous missions
Imaginations on fire
Focused high on soaring ambitions
Consumed in a single desire
In the grip of a nameless possession --
A slave to the drive of obsession --
A spirit with a vision is a dream with a mission...
Rush, Mission

Together we'll find out how dangerous intent is, at least with regards to my intent to start a blog.  I intend to make this an interesting read, covering a variety of subjects within my interests.  I'll range from cutting-edge science (less about the field of science, more about significant discoveries) to application of technology, fitness and nutrition, musings on other subjects that might strike my fancy.  Oh, and bicycling; there'll be plenty of opportunity to read about my passion for the bicycle.

I don't intend to cater to everyone's interests, but rest assured if someone suggests a subject I'll have a few words to share about it.

Thanks for taking the time to read my inaugural post, I hope you'll join me as we start this journey.

-- TechieRoadie