The Rules...and Life

No matter how you feel about them, The Rules have some truths about cycling, and life, worthy of consideration.  I'll admit, I don't follow all the rules, I am not a Velominatus, but I do subscribe to some of the ideals that it represents, both on the bike and off.

When you look at the real intent of the rules, you see it's really about being committed.  In cycling, there's a certain aura, even mystique, to being a roadie; reading these rules you can see that.  From color matching on the bike and color-coordination in the kit (clothes), to well-tended tan lines, using kilometers (instead of miles), and only allowing espresso and macchiato (instead of coffee or lattes).

I also suppose you're only allowed to take dainty sips from white china with your pinkie finger out while holding the tea plate in your other hand underneath.

I suppose it's ok to use plastic if you're on the team bus prepping for the next stage.

Side note, if you ride / race and don't drink coffee, 1) more power to you; and, 2) you should.

Deep down, the rules aren't just about cycling; they're about life.

As the Rules say...
...it's all about looks.  Appearance is everything in road cycling, and many roadies will quickly rate those around them by how closely others tend to their appearance; the better kept a cyclist is, the more they follow the written and unwritten rules of form and fit, the more respect they get.

Rule 7: Tan lines should be cultivated and kept razor sharp.

The ring of lighter-colored skin above the deeply-set tan earned through hundreds of hours outdoors on the bike: it's unattractive, and looks unkempt.

This can be hard, even for people like me, as kit can vary in fit, but there's also a practical reason to keep tan lines sharp: burns.  There's nothing worse than having a perfect tan line at the bottom of the shorts with a quarter-inch burn ring just above it.  It hurts, and it looks terrible.

Rule 8: Saddles, bars, and tires shall be carefully matched.

Isn't she beautiful?

I cringe whenever I see a bike with different color tires, wheels that don't match or are the wrong color for the frame or tires, bright bar tape that doesn't match the palette of the frame.  It's like seeing a car with different wheels on it; the owner simply doesn't keep up with maintenance or doesn't pay attention to details.

Rule 33: Shave your guns.

Let's be honest: there's always tells; at a bicycle ride hairy legs is one of them.  I'll be the first to admit there are some strong, talented, hairy-legged (ew) people out there; I didn't shave my legs until I finally got serious enough to buy a real bicycle, and that was only 3 years ago.  But, in general, hairy legs means quick dismissal.

Rule 53: Keep your kit clean and new.

This really speaks for itself.  Dirty clothes are dirty (and look dirty).  Clothes wear out.  Don't let your inability to maintain a wardrobe result in you looking sloppy.

Looking Pretty.

On the surface these rules can seem unfair, and even a little bit prejudiced.  By my experience, however, it's also generally true: you can judge a cycling book by its cover.

The rule really is this: always look better than you have to.  Cyclists may take this in a certain direction, setting specific rules to maintain a mystique, but in the end it's really about representing yourself in the most positive light.

Whether it's mismatched kit or a novice-level knot on a tie, never forget that appearances count.  Look good, and you'll be received well.  Look good, and you may have the opportunity to do well.


Another aspect of the rules...
...is about being a positive contributor.  Cycling, and life, is full of people who don't contribute, don't bring light to the life around them.

Rule 67: Do your time in the wind.

No cyclist likes wheelsuckers, people who use the draft solely to their benefit without making a contribution.  Cyclists especially detest wheelsuckers who do so then take off in the dwindling miles to leave behind the people who did all the work.

We all know wheelsuckers, people who only work to grab the coattails of someone else's successes.  We even know a few who have made an art of sprinting ahead of hard working people to claim completion and credit.

Earn what you receive.  Do your time in the wind.

Rule 19: Introduce yourself

Although this is a little about networking, it's a little more about joining existing social networks.  Joining an existing club ride can be very daunting, especially for a new cyclist; and even for veteran riders there's plenty of pitfalls.

Take the time to introduce yourself.  Learn who the group is, and who the primary people are - who the leaders are.  Learn the rules, and follow them.

Rule 43: Don't be a jackass

As a common group, cyclists share a common perception from others.  It's absolutely critical that we think of what our actions may mean for the greater community.  What we do could come around to haunt someone else, whether it's immediate response to something we do or adding to pent-up emotion that results in someone's action later.

This is true in all things.  Be respectful of those around us, treat people fairly - as they would want to be treated.  Earn karma, and help others pass it along.


Finally, the last bit of advice from the Rules...
...is about commitment and dedication.  Like in life, cycling will only give what you put in, and sometimes you have to put in a hell of a lot more than you're going to get out - pay it forward.

Rule 10: It never gets easier, you just go faster.

Training to get faster, to get stronger, never gets easier; in fact, the effort and regiment necessary to gain becomes greater and greater as your capability grows.  You may get out of training what you put in, but the returns decrease over time - faster by smaller and smaller increments.

You have to build a system in which to grow, and you have to dedicate to that system in order to get anything out of it.  Life never gets easier, you just gain more experience and knowledge to deal with it.

Climbing a hill is like wrestling a gorilla.  You don't stop when you get tired.  You stop when the gorilla gets tired.

Rule 9: If you're out riding in bad weather, it means you're a badass.  Period.

Riding in the cold, wind, rain, snow (or some combination) is the sign of insanity - or complete dedication.  It's not about passion, it's about commitment.

A rainy 42F in February, and we're racing

Such as it is in life.  It's not always bright skies, warm days, light winds; more often than not life throws in a challenge we must surmount.  Whether it's 100F+ temperatures, 30mph winds, or changes at home or at work that rock the boat of our lives, it's those that get out there with a smile and dedication to move forward that will ultimately gain and grow for the experience.

Rule 93: Descents are not for recovery.  Recovery Ales are for recovery.

Reaching a peak doesn't mean the end of the road (except in mountaintop finishes, but even then typically the race goes on the next day).  The race continues, and the descent off the top is no time to stop putting in the effort to stay ahead of the pace.

Success starts early, even immediately following success.  Don't relax; use each pinnacle to drive for more, perhaps higher opportunities.  There will be time to recover and prepare for the next chase, be sure to wait until that opportunity comes before starting to relax.

Rule 64: Cornering confidence increases with time and experience:
This pattern continues until it falls sharply and suddenly.

Falling on a bicycle sucks, well and truly, and nothing does more to shatter riding confidence than to have a major wreck.  Unfortunately, they happen, sometimes because of our own confidence, and sometimes because the world is a difficult place.

...and this is going to suck.

We all suffer failures, on the bike as well as the lesser parts of life.  Physical wounds from these failures take time to heal; challenging ourselves to outperform our past will help heal our mental injuries, and only through that will we begin again to gain and grow.

Rule 5: Harden the F**k up (HTFU)

Cycling is hard.  You're in a pack, halfway up a climb.  45 miles in, 17 to go.  The pace has been brutal, and even now the tempo is painful as you work the sustained 8% grade.  Your legs are screaming so loud you can't hear your own breathing over the sound.

Through the fog...you see it.  The head flick.  The glance over the shoulder.  Then it happens, someone attacks.  A moment passes, then someone chases.  From within the oxygen-deprived, heart-pounding, lactic acid-fueled haze, the voice: chase, or lose.

This is absolutely not about "getting over it."  You don't get over it, but you do have to bear it.

Opportunities don't only come when you're prepared to chase them.  Sometimes you have to grit your teeth and work through the pain of failure, loss, and hard work to grab on to something truly valuable.

Life is hard.  You just need to be harder.

But, really, it comes does to one thing in the end:

It doesn't matter how fast you go...you must never give up.

Progress is progress.  I've hit the wall so hard I could barely balance on the bike for how slow I was moving; many of us have.  We just have to keep going and we'll eventually get there - where ever there may be.

And that's how it is.  You don't have to chase every break, you don't have to always be at your best.  You don't always have to be primped and polished, and you don't always have to have a smile on your face.

You do have to keep moving.  It's only through that effort that you'll find yourself in a different, hopefully better place.

And remember Rule 4: It's all about the bike.

Focus on Fundamentals

Ok.  Let's face it.  The fundamentals are hard.  They're also boring.

They're also fundamental; they're the foundation.  Nothing can survive (long) without a foundation, and success will ultimately be limited by the limitations of the foundation on which that success is built.

In bicycling, our foundation is called the "base".  Base is earned through long miles in the saddle riding at a consistent and moderate pace, repeated over and over.  The typical training plan has 2-3 months of this stuff, mile after mind-numbing mile, as much as 3-4 days a week, with length based on how long races will be later in the year.  60 mile races?  4+ hours on the bike getting in base.

So, yeah, it's hard, and it's boring.

Bicycling, and Information Security, are both like building a pyramid.  If you want to go faster, ride longer, you need to build a wider base first.  You need a solid foundation, one that will support you when the time comes to drive a break 70 miles into a 100 mile race.

Information Security is the same.  If you want to deliver better protection, higher capability, you need to ensure you have a complete and supporting foundation - fundamentals.  If there's cracks or missing sections, there's room for the whole system to collapse under the weight of the stacked stones.

That raises the (obvious) question: what is fundamental to information security?  You have to have Anti-Malware.  And a Firewall.  Mix in some Intrusion Detection, log analysis.

Fact: none of those are fundamental.

Seriously.  You don't need this.

Put down the pitchforks for a moment.  Use of technologies like these are absolutely required, they just don't make up the foundation of a solid information security program.

So what does?

The National Institute for Standards and Technology (NIST) has put together some excellent documentation about managing information technology and information security.  One of their recent products is the CyberSecurity Framework, a product that provides a clear and executable map to measuring information security risk in a practical and illustrative way.

One of the key components of NIST's model is the list of core functions: Identify, Protect, Detect, Respond, Recover.

The Sequence of Core Functions - Each Drives the Next

These are sequential risk-reduction, information security management functions.  Investment only provides mitigation to the right, such investment is best served further to the left.  That means your foundation is the item to the left: Identify.

You can only act on what you've delivered.

Stealing liberally from NIST's documentation, this is what Identify means:

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

Understanding is fundamental to information security, the level of understanding is the ceiling for any information security program.  And understanding is hard, we always want to fast forward past it to get on to the sexy part of information security (if such a thing exists).

But you cannot secure that which you do not understand.  So let's dive in:


Understand Business Strategy

Information Security cannot operate without alignment with business purpose and strategy.  Use this knowledge to capture (or develop) a list of Threats that apply to the business model, vulnerabilities of the business based on the line of work, then cross to find enterprise class risks.  It is here that technology and information risks can be latched.

This is where we'd capture "Risk Tolerance", and a good place for a short soap box.  Risk tolerance should be a dying term as it's typically used in place of "willing ignorance": a willingness to accept risk due to perception the risks can't manifest (i.e., don't apply).  Risk tolerance should be a business case, financial-driven decision based on potential losses and impact of manifest risk.  But I digress.

This is where the information security program will take root and where it'll find reliance and support as it delivers business cases for risk reduction; the Why of Information Security.


Establish Management Intent

Utilize the knowledge generated in understanding the business strategy to establish over-arching management intent.  This starts with the Security Policy; the policies, procedures, and standards designed to deliver controls that orient to the risks the organization faces. 

The quickest, easiest way to establish intent is to select a control framework and write it into Policy and Procedure.  This becomes a simple process of selecting controls that relate to the risk posture of the company, setting standards within those controls according to the level of risk, and establishing metrics and measurements to enable assessment of compliance to controls.

Intent should also integrate Information Security into other organizations, enabling upstream and downstream delivery of controls throughout the organization.  Information Security has cross-organizational concerns in Vendor Management, Human Resources Management, among others.

The intent of Intent is to establish the rules for how security will operate, aligned to the risks and strategies of the company; the How of Information Security.


Capture Inventory

This isn't a real Datacenter.

This is where the rubber meets the road in the statement "you cannot secure that which you do not understand."  In practical terms, this inventory is the list of stuff that needs to be protected.  There's a lot to think about, but they fall into a few broad categories with the depth of detail driving the maturity of downstream controls.  This is the "What" of Information Security.

Design and Architecture Assets: Network and system diagrams, the "as-built" for the technology system as a whole.

Physical Assets:  There are the traditional technology devices with a few added items.  Servers, laptops, mobile devices, printers, network equipment, security equipment.  Each should be uniquely identified via some electronic means, each should have pertinent information such as responsible part, purpose, and similar.

Service Assets: These are the delivered technologies supporting business functions, such as the HRMS, FMS, ERP, along with smaller services such as Reporting, Project Management, and other solutions.  These should have owning business organizations and/or responsible individuals associated to each.

Integration Assets: Flow diagrams showing the movement of information between services (information systems) and the relationships of business processes to information flow.

Software Assets: The list of approved operating systems and software packages utilized on the environment.

Information Assets: The types of information utilized and where they are intended to be located with owning business organization and/or responsible individuals.

Identity Assets: The complete list of individuals who should have some level of access to the technology systems with information on their role and area of responsibilities.

Access Control Assets: The complete list of defined access credentials for each service and system, and a complete list of the roles and privileges provided within each.

(It's hopeful, and hopefully likely, that the Identity and Access assets are already linked; else, this is low hanging fruit.  Get it done.)

Threats and Vulnerabilities: The last two are a little less palpable but no less important, the list of Threats and Vulnerabilities within the organization.  These are necessary to create a risk profile for the assets inventoried above, enabling decisions on how to deliver protection, detection, response, and recovery in appropriate measure.

Threat Inventory: A list of known potential sources of impact to the organization's technology systems.  This list should be based on the inventory generated above; i.e., threats that are specific to the technologies and services being consumed; and based on how the business is operated, linking threats to parties that may be interested in disrupting the services provided, such as organized crime for retail.

Vulnerability Inventory: A list of known vulnerabilities within the environment.  This should be developed by both technology (scanning) and research, and contain vulnerabilities that impact information security and the application of controls over technology such as environmental and human influences.


It is all about the fundamentals; it's not possible to implement an information security program without having a strong grasp on what needs to be secured, why it needs to be secured, and how it should be secured.  The Identification process provides the knowledge needed to define the necessary technical and procedural mechanisms of information security.

Sorry.  Obligatory.

Without having a solid foundation, vulnerability manifests in cracks, eventually manifesting as failure in controls and, possibly, failure in the information security program.

Sometimes in spectacular fashion.  The pyramid comes crashing down because of a single failed stone.

The investment in time in fundamentals will lead to a more successful program.  Take the time to figure out the gaps, act on them, and the program will be better for it.

My Passion for Scotch

I love scotch.  And I love malt whisky.

Single Malts, Blended Malts.  Speyside, Highland, Islay.  Japanese, American, Scandinavian.

It all started on a trip the UK.

I am, or was, the typical American.  I had never really left the relative "safety" of the United States.  I'd been to Canada, visiting Montreal on many occasions.  I loved Montreal, and I still do; but it's still a North American city, despite it's old-world feel.  And Montreal represents what's most "foreign" about Canada for Americans, in many ways visiting Canada can feel like visiting a different region of the US - the difference between New England and the Deep South, for example.

(For my Canadian readers, I am not drawing comparisons or saying Canada is the US.  I'm saying that it's not "foreign", any more than the US is "foreign" to Canada.)

My first real international trip was to Great Britain - England, proper.  There is no better way to appreciate just how diverse people are than to make Britain your first international trip.  Every illusion you have about your perceived commonality with the British will be shattered within minutes of your arrival.

I was there for work, part of a technology deployment team delivering infrastructure and applications to support a new facility.  We were staying at a small boutique hotel in Bath, with every room occupied by a team member; this effectively gave us run of the place.  It had both a small restaurant and a small bar in the basement.  We spent a fair amount of time in the bar.

While the hotel manager was clearly unimpressed with his American clients, doing little out of his way to make our stay comfortable, much of the staff were absolutely enamored.  They had two general staff, basically bell/concierge, who did everything they could to spend time with us and ensure we were entertained.

One night, we had a group sitting at the bar; 5 or so.  Our bartender was a young Portuguese man, one of the hotel staff that greatly enjoyed spending time with the Americans.  We were unwinding from the day, engaging our bartender in the conversation.

At the time I only drank beer, typically mid-color (Ambers, reds); I didn't like (and still don't like) stouts or porters, which limited my options.  That had led to a conversation about the difference between American and British beers, and the difference between Irish beer you can get in Britain vs the US.

(There's a huge difference.  Trust me.)

As we're chatting, our Portuguese friend asks if anyone had tried some of the liquors that were on the shelf.  The answers ranged from "never had hard liquor" to "tried most everything", mostly "only a few" or "no".

He grabs a bottle of a local British liquor, "How about this?"  Everyone said "No."

"Let's see what you think!"  He pulls out a tumbler, pours a shot, and hands it to the person at the end of the bar.  The tumbler moves down the row, each person taking a sip to various reactions.

And that's how the rest of the night went.  Thank goodness it wasn't a work night.

We tried everything...gin...bourbon...cognac...tequila...all sorts of liqueurs...mixers.  Several hours of sipping various liquors.

Somewhere along the line, an amber liquor worked down the row.  I had missed what it was, distracted as I talked with my neighbors about the last drink.  I suddenly realize it's there, so I turn and take my sip.

Oh.

My.

God.

The taste sparked something in me, something hard to describe.  I suddenly felt like a part of me I never knew awakened.  It was a sense that this was right and true.  It was fundamental to me, like it touched a part of my inner being; my soul, my spirit.

It was GOOD.

I'm suddenly single focused.  "What is this?"  Famous Grouse.  "This is INCREDIBLE.  What kind of liquor?"  Scotch.

From that point, nothing else mattered, nothing else compared.  I lobbied for more scotches to work down the line.  Only succeeded once: Johnnie Walker Black Label.

And so it began.  From that day forward, I had scotch in the house.  An expensive habit, I have to take care to manage how much I consume, but I always have it for those moments when I need to feel whole.

Despite that, I'm still a novice - I still am today - so I continue to drink the less "respected" scotches, mostly blends.  I slowly expand my palate.  Dalwhinnie.  Laphoraig.

I have the greatest respect for my grandfather.  It's funny how our parents can do no right, yet our grandparents can do no wrong.  I love him dearly, and could only hope to be half the man he has become.

With that in mind, I always am at my best when I'm around my grandfather, moreso than I am in virtually any other situation.  I had been told his father struggled with alcoholism, and always felt that left my grandfather with a poor opinion of drinking.  I never talked about my drinking, and it took many years before I'd even order a drink in front of him.

(My respect for my grandfather only grows.  His ability to not just tolerate but accept and be at peace with the ways of those around him is one of life's true lessons.)

It was by accident that my preference for scotch came up.  It was in typical family conversation, talking about what's going on in our lives - good, bad, or just "is".  My dad mentions that I have taken a liking to scotch.

I cringe.  Yes, your grandson drinks hard liquor.

"Oh really?" says my grandfather.

My dad continues, "Didn't you drink scotch?"

!!!??!!

"Yes, I used to have a drink after coming home from work."

!?REALLY?!

Things start to click into place.  I suddenly have images of my grandfather sitting in his chair after nightfall, smoking a cigarette in the dimly lit living room of my family's home with a tumbler in his hand.

I am my grandfather's grandson (minus the cigarette).

I learn my grandfather's drink of choice was a Haig; today, Haig is best known for their Dimple 15-year blended scotch.  It's a relatively good blend, especially good for the price.  Of all the selections of scotch I keep in the house, they all have similar palate and follow to Dimple - oaky, lightly spiced, lightly sweet, malted, with only slight touches of smoke.

The love for scotch jumped generations, skipping my parents to land squarely in me.  My passion is another homage to my grandfather; it's in those times, when I sit in my chair and sip at my tumbler, that I am the current reflection of my history, a reflection of man I'm proud to call my grandfather.

I have a passion for scotch.  And now I understand why.

My Fleeting Passion for Professional Cycling

As I've said, there's a story behind everything.  Here's my story why I don't watch professional cycling.

There was once a time where I felt passion for professional cycling.  It lasted 7 days.

It's the 20th of July of 2006.  I'm sitting in my assigned room in a secured compound in Kabul, Afghanistan.  I've ridden various Russian-built helicopters across the country 3 of the last 5 days, and I've been out of the relative safety of our compound every single day.

I've been in the region for a week.  I'm still a little jet lagged.  The air is thin, and full of dust and other crap (literally).  I'm tired, constant travel tired.  Constant threat tired; I'd been in dangerous parts of the world before, this was more just a constant wear rather than a new experience keeping me up at night.

At least it wasn't like Baghdad, where you could set your clocks to the morning bombings.  But, again, that's another story.

It's my first down day, if you can call it that.  We were supposed to travel today, but circumstances wouldn't allow; instead, I spent the morning meeting with the local staff, then met with our travel coordinator after lunch to plan the flight for my team the next day.

So, I'm sitting in my room.  After the constant buzz of activity and motion - the constant flip of attention between the road and the objects alongside the road - I can't focus without noise.  I need input.

I flip on the television.  Which, surprisingly, works; and more surprisingly even has English channels.

I start to flip.  Flip.  BBC News; nope, too close to my world.  Flip.  Indian daytime dramas (soaps, if you could call them that); nope.  Flip.  Middle-eastern music videos...

There's something a little surreal about watching a Middle-Eastern female in a westernized female lead-singer mixed with belly-dancer outfit shaking her rump to a large group of men in traditional solid-white middle-eastern garb.  Nope.

Flip, nope.  Flip, nope. Flip, nope.

Flip, Floyd.

A pair of British announcers are discussing the man on the screen, Team Phonak's Floyd Landis.  It took me a minute to realize: this is live.  I'm watching the Tour de France, live, and I'm watching possible history being made.

I take in just enough to realize the Landis, an American, was way out ahead, before the announcers cut back to the previous day's events that had put Landis on the ropes and effectively ended his TdF hopes for the year.  I watch as Landis crumbles mere miles from the finish, disintegrating in a way that was clearly psychologically crushing.

I had heard about Landis through my monthly reading of Bicycling Magazine, a habit I no longer keep.  He struck me as the kind of person we wanted to win the Tour, painted in such a good light, painted as truly different from Lance Armstrong's in-your-face, dare-you-to-accuse-me, hyper-aggressive way.

Floyd seemed to be a real person, down to earth rather than on a pedestal like Armstrong.   While I had little interest when I read the articles, I suddenly found myself glued to the screen.  America's boy was about to become a hero, and I was watching it happen.

I wanted to Floyd to win.  I wanted to be like Floyd.  I wanted him to win, because if he could, I could.

I watch the miles dwindle away.  I feel the relief every time the gap is put on the screen - it's holding.  I watch as he grabs water from the team car, pouring it on his head.

I feel a little more confident when Landis' coach says Floyd can hold 400w for an hour under these conditions, he's well within the his limits.

I start to worry when I learn Landis' radio had failed, likely shorted by all the water he was using to keep cool.

I watch as the lead begins to dwindle.  First, by seconds, little concern.  Then more seconds, piling up to minutes.  The gap has closes past the time he needed to take the lead.  I am on the edge of my bed, trying not to scream at the TV "THEY'RE CATCHING UP!  GO!  GO, DAMNIT!"

Finally, Landis crosses the line.  He's done everything he can, it's up to the chasing peloton.  I sit, counting the seconds, then the minutes.  A couple climbers finish, then the main peloton.  Landis puts 5'42" into the next finisher, jumping up to third place.  Lots of punditry - Landis could do it, just needs to hold on for the last couple stages before he could seal it all up in the Individual Time Trial.

As I travel around Afghanistan for the next few days, I'm constantly checking the results, looking for Landis, looking for our guy to come through.  I stay up late to see the replay of the ITT, watching the times as Landis makes 1'29" on first place GC Pereiro to claim the overall win.  I watch the procession into Paris, the yellow jersey on the back of a heroic American who overcame a cataclysmic failure to win the Tour in the closing days.

I'm a believer.  And I'm a pro-cycling fan.  The days of questionable victories by Lance and others are over, a new brand of winner has been crowned.

27 July 2006.  Landis' A test comes back positive for testosterone.  My faith is shaken, but I focus on his innocence and await a second test.

5 August 2006.  Landis' B test comes back positive for testosterone.  Landis is stripped of his win.

As quickly as I started to find a passion for professional cycling, I lose any faith in the sport or its participants.

So, today I have little interest in professional cycling.  Instead, I ride.  I race.  And I do everything I can to be honest about it.

I don't care about professional cycling.  I want to believe, but my faith has been crushed.  You can blame Floyd Landis for getting me interested, and you can blame the whole peloton for pushing me away.

24 Hours in the Canyon

I attended my absolute favorite bicycling fundraising event this past weekend.

One of the most beautiful things about cycling is that we're a truly generous bunch.  All an organizer has to do is set up a safe route, provide support at 15 mile intervals, give out t-shirts, and hundreds (or thousands) of cyclists will pay $30-40 for the privilege to ride.  These little rides put a few thousand dollars into the pockets of valued local charity organizations every weekend.

There's even national events touring around the US.  These events are enabled by major sponsorships and attract tens of thousands of riders who cover tens of millions of miles, raising millions of dollars every year to support worthy causes.

Bike MS150
Tour de Cure
Ride to Defeat ALS

Great events, great people, great causes.  As cyclists, we're a truly giving group of people.

There's one event that's unique.  This event provides for riders of every type, gives the opportunity for each participant to push themselves as hard as they want, and is set in one of the most beautiful places in Texas.  And it's the only combined and simultaneous road and mountain bicycle racing event in the US.

It's a race against the clock, just like the disease it fights.  It has races ranging from 6 hours to 24 hours, with awards for those covering the largest distance.

That's right.  24 hours of racing.  Cancer never sleeps.  Why should we?

24 Hours in the Canyon

Ryan Parnell, the event director, is a gift to humanity.  He's truly a great man, an all-around good guy; I have an immense amount of respect for him.  It's clear he puts a tremendous amount of time and effort into making his event, 24 Hours in the Canyon, happen...flawlessly.  The attention to detail, the personal touch for every person who comes in contact with him, the selection of such high quality, wonderful people to help him make it happen.

I just wish I knew more names!

Ryan leads a huge team of volunteers to put on the 24 Hours in the Canyon event every year.  They handle every detail, make sure everything is sorted, make sure everyone (racers and support) are informed.  They have great sponsors, enabling Ryan to put on a variety of events throughout the weekend while giving him access to resources that make his event far and away the best I've ever experienced.

If Ryan and his team make the event, the attendees make the event even better.  These are some of the best people in cycling, people who sincerely believe in giving, work hard to raise money to support the cause and the event.  These are people who sincerely believe in using the bicycle as a way to give a little more.

Even more, there are many cancer survivors among the competitors.  I have the greatest respect for them, they are truly the most hard-core riders I'll ever meet.  The very fact they come out and push after such challenges is amazing; that they do it to help others going through what they survived is truly inspiring.

For many of us, cancer strikes close to home.  One of the members of our 4-person 24-hour mountain bike team is a survivor.  He had the second fastest laps on the team, and put in 7 laps over the 24 hour race, day and night, with little sleep.  I passed many survivors on the course, most riding 12 and 24 hour events, and was awed by their sheer will.

I have nothing but the greatest respect.

As the host location, Palo Duro Canyon State Park is home to some of best, most accessible MTB riding in Texas - a nearly perfect package trail quality and scenery, all within reasonable distance of civilization.

It has roads, too.  There is no discounting the road portion of the event, or the beauty seen from those roads.  For me, the trails are the main attraction.

24 Hours in the Canyon provides no shortage of opportunity for personal challenge.  Friday has a hill climb, a 1 mile race up the 10% average grade switchbacks leading out of the canyon.  There are categories for both men and women, and categories for road bikes, geared mountain bikes, and single-speed mountain bikes.

I can't imagine doing that climb on a single speed, particularly not a single-speed mountain bike.  That's truly hard-core.

There are cash awards for the fastest climbers, but that's really not the point.  A good friend of mine was the last one up the climb last year.  He is fighting cancer, yet still rides 3-4 days a week and rode in the 2013 two-man 12 hour race after finishing the hillclimb.  For him, finishing the climb without stopping was a great accomplishment, one that I give immense respect.

Then there's the main events: solo or team, all male / all female or mixed, 6, 12, 24 hours, road or mountain, single speed or geared.  It's almost guaranteed there is an event for you.  You don't have to be there to win; the fact you're there, the fact you're challenging yourself, is a victory itself.

The starts for the main events is staggered through Saturday and Sunday, culminating in a common end at noon on Sunday.  The start of each new event infuses new life into the course, adding a palpable excitement even as fatigue begins to wear at the longer-distance racers.  As 6 hour racers begin to pass the 12 and 24 hour racers, you can feel the transfer of excitement, an increase in will; the pace picks up.

If you're looking for an exceptional event, with truly wonderful support and exceptional participants; if you're looking for a personal challenge with opportunity to race your own race, as you want to race; if you want to support a worthy cause and know that everything you do is going to support that cause, this is your event.

Ryan and his team of volunteers run 24 Hours in the Canyon as one of the best organized, friendliest, professional, and beautiful endurance races in Texas.  Don't take my word for it.  Come down and see for yourself.

Training with Power

Thanks to Fatty for his post that triggered this entry.

I'm a bit ridiculous with my bicycling, and I always have been.

Very soon after getting back into riding about 10 years ago, I was looking for data.  First, it was a simple cyclocomputer.  Speed, distance, average speed, time.

Very soon after, it was a heart rate monitor, a cheap one that displayed on a wristwatch which I mounted to my handlebars with a drafting eraser under the band to hold it in place.

Yeah, I was the epitome of road bicycle style, hairy legs and all.

I quickly saw that heart rate wasn't telling me anything, especially without some data recording capabilities.  I'd feel great with my heart at 165bpm, and feel like I was about to pop at 140bpm.  Heart rate was just not very helpful.

I was also deluded into thinking I was truly fast.  I was occasionally able to beat the other riders in the Tuesday/Thursday pick-up ride on my aluminum framed Specialized.  They knew me by name, and I even had a nickname: Red Chris.  (I wore red kit exclusively for years, and my bicycle was red.)

I thought I was cool.  I thought I was fast.

So I bought a power meter: a CycleOps PowerTap SL 2.4, built with Mavic Open Pro wheels and DT Swiss spokes.  Top notch kit.  I put my shiny new wheels on my hardly new Specialized, tripling the value of the bicycle with the swing of a quick release skewer.

I was so cool.  No one else had a power meter at the time.  They were still pretty rare even at the pro level.  I ran out and did a hard ride.  I recorded heart rate, power, speed, cadence.  I rush home, hook up the LYC (Little Yellow Computer) and download the data.  I bought software to help me analyze and track my power training.  I reviewed my power in detail.

And I realized that I stunk.  I was slow.  Weak.  Pathetically weak.  Didn't register on the charts weak.

Buying a power meter was one of the most demoralizing moments in my cycling career, if you could call it a career.  I suddenly knew my standing in the world of bicyclists, and it simply wasn't very high.

My ego was badly bruised.

Then I read the instructions.  I need to zero out the torque!  Next ride, I get out, zero out the torque.  I reset, ride hard, capturing all this data.  Go home.

I still suck.  My ego was almost fatally crushed.  My dreams of riding in the Tour de France were fading fast.

For years after that, I capture my data.  I don't buy a new bicycle.  I regret the investment in a power meter that cost as much as a sweet new mid-level carbon bike.

I realized that the fastest way to see how much you suck is to buy a power meter.  There are times when you're suffering, you feel like you're working yourself to death.  Legs screaming.  Heart pounding.  Gasping for air.

Look down, you're doing 50% of your normal power.  And you can't turn up the wick.

At least, with a simple cyclocomputer, you can delude yourself.  Sadly, high technology doesn't lie, it tells the cold hard truth.

But, it's those moments where you learn.  And learn I did.  Over time, I started to understand what my power meter was saying.  I learned what it meant about my performance in a broad sense, and my body's response to my activities.  I started to get faster.

I learned a lot that had nothing to do with power and everything to do with making power.

I learned about hydration, and the impact it has on power.  Food, and the impact it has on power.  Temperature.  Riding position.  Sleep.

I learned a lot about power, too.  I learned about the impact of using power, the impact of accelerations, tempo, threshold riding.  I had sudden clarity on the idea of "matches" and what happens when you light them.  I gained clear understanding of the advantage of drafting, both as the drafter and the draftee.

I learned how to manage my performance; how much capacity I had, how to have capacity when I needed it, and how to develop more through training.

Even more, I learned how to combine information.  Heart rate and power.  Power and cadence.  I learned how each affected the other, how to utilize them to my benefit.  I started to understand how my body would act when I was tired, dehydrated, hungry, poorly fueled, hot, cold, sick.

Today, I have two wheelsets with power meters, and I seriously considered putting a power meter on my MTB wheelset (still regret not doing that, the stats would be really cool to compare and contrast with road).  I know my thresholds, I know my limits, and I can see them play out on a screen in front of me when the time comes.

I also know how I compare to typical competitors, and I know what I need to do to be competitive with them - or to force them to respond.

And, most importantly, I know how to see when I need a break.

Buying a power meter was the best thing I ever did, despite the outrageous price tag when I did it.  A power meter is the most powerful tool available for bicycling, right behind the bike itself.  I wouldn't be half the rider I am today if I didn't have all the knowledge I gathered through simple observation of my power meter.

And I'd probably still be deluded into thinking I could ride the TdF.  Today I know that'll never happen.  Cat 2, or maybe even Cat 1, but not that.

Hey, we gotta dream.

Collaboration: A Tired, Overused, Yet Under-Expressed Term

I prefer to talk.

I'm sure the comes as a complete surprise to anyone who has spent the time to read much of my ramblings over the last couple weeks.

(I'm also a little sarcastic, but that comes with the territory.)

But, seriously, I like to talk.

I think the art of communication is slowly being lost.  This isn't going to be a diatribe against the malevolence of e-mail, instant messenger, SMS, blogs, or smartphones.  I just believe we've allowed ourselves to become too impatient to have real conversation.

And that's what I really like.  Discussion.  Exploration of a subject.  Understanding the point of view of everyone involved.  Appreciating differences in positions and opinions.  Arriving at common ground.

My problem is that I'm in technology.  As a general rule, we don't communicate well, and don't relate well.  As I was once told, a good IT person is "cocky, arrogant, and difficult to work with."

Of, course, the anal retentive side of me pointed out that "cocky" and "arrogant" are synonyms so the statement was redundant.  That didn't get a good response.

Worse, I'm in Information Security.  All those habits, with the natural air of suspicion and concern for revealing anything that could breach confidentiality.  (Right.  Take that technical orientation and wrap it up with a CIA triad bow and see what you get.)

In short, we're really, really, bad at communicating.  We rely on so-called "subject matter experts" to tell us what we need to know.  We listen to vendor slime tell stories about the wonders of their technology, trying to glean why, precisely, they exist in the first place.

(Oh crap!  I have no idea what problem they're trying to solve!  Did I miss something?)

I like to talk.  We all do.  This is why, when you go to a conference, the roundtables always fill first, why they always have waiting lists, and why we end up getting stuck in presentations about how the position of a dot on a quad chart is so very meaningful when compared to the position of another dot that is below or to the left of the first which illustrates the value proposition of.....

.....zzzzzzzzzzZZZZZZZZZZZZZ.

Sorry.  Back on topic.

I like to talk.  And there's a reason I say that.  I genuinely appreciate organizations that allow me, and people like me, to talk.

I believe there is tremendous value in having an open, honest conversation about any subject; tactical / technical, operational / organizational, or strategic / enterprise.  There needs to be an outlet where we, as technology and security professionals, can lower the guard of arrogance, drop the shields of confidentiality, and talk about the common problems we all face.  We're not on an island, as much as we like to paint ourselves to be.

But we need help.  Collaboration, true open discussion, cannot happen without these:

Neutrality.  We need an environment where people can be candid.

Purpose.  Conversation started and driven by questions from individuals with real problems and needs.  Not personal; relevant.

Tone.  "What works, what didn't," with perspective as to reasons and implications.  No professional sales pitch ("look at all I've done"), no company marketing ("we've been doing this forever").  And no hype.

I draw tremendous value from open and candid conversations.  I've learned more in a single discussions than I've ever picked up in a 1 hour presentation or webinar.  I might get some ideas for tools and practices, but it's the real-world knowledge of how to apply those tools and practices that gets things done.

And to be quite honest, there's only two reasons there's a presentation - someone has figured out how to do something, and you'd learn more by talking about how it was done; or someone has a new way to do something and is trying to advocate for it.

The latter makes my early risk warning radar go off.

Clearly, we need to talk.  More.  We aren't so good at doing it ourselves, that's why we go to conferences.  We need help to make it happen.

Find your resources; I've found mine.   Local ISACA chapters (depending on their culture), roundtable events at conferences (you and everyone else), set them up yourself, or work with companies that specialize in enabling conversations.

There's a lot of knowledge out there waiting to be shared.  Some of it is locked in your head.

So get out there and talk.