Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/26/2012
04:45 PM
Mike Rothman
Mike Rothman
Commentary
50%
50%

Winning By Losing

Employers and customers will take everything you have to give, and then ask for more. You can bitch about it, or you can say no -- the choice is yours

I have a good friend whose son plays baseball. The son just moved from rec ball at the local park to a pretty serious team. They practice four times a week, have a few optional (but not really optional) practices on the off days, and play in tournaments over the weekends a few times a month. The coach is a 20-year retired Air Force guy, and his approach is all about discipline, fundamentals, and achievement. Each of the kids needs to earn his way onto the field. Nothing is given to them.

Only 75 percent of the kids take the field in each tournament. The other kids sit and root for their teams. At first that seemed a little harsh because the kid is only 12. But when I heard about the focus on discipline and fundamentals and the opportunity to get on the field through hard work and performance, I get it. And I like it. Because that's the way life is.

Let's use an analogy from the NFL. This upcoming week is the last week of the off-season and that means roster cut downs. Some guys (maybe 50 percent of the preseason roster) have significant guaranteed money or are key veterans, so they'll make the team unless they get hurt. The other 40 fight for maybe 10 available spots on the 53-man roster. They've got to bring it in every practice and film study session. They earn their right to be on the field for the games through hard work and performance. If they don't perform, then you can bet there is someone else waiting to take their spot.

That's life. You always have someone coming up behind you, working his ass off every day to be where you are. If you don't meet your employer or customer's needs, someone else sure will. And you'll be gone. That's how market-based economies work, and that's not going to change.

What does this have to do with security? And why does this concept get me hacked off? Because some folks don't understand about making choices. A little Twitter fight broke out recently over the increasing trend to start conferences on Sunday. Obviously that impinges on the weekend and maybe on family time. Some folks whined about it. Others told them to stop whining, that it's not unreasonable to expect executives (warranting six-figure salaries) at times need to travel on Sundays. We've been talking about burnout in security for years. This isn't a new issue.

It's all about choices. I don't blame the conference organizers. If they can maximize revenue by having a day of training on Sunday, then why wouldn't they? If people are going to show up, then Mr. Market says to meet the demand. I don't blame companies that will take everything their employees have to give. And then ask for more. That's what companies do -- why is that a surprise?

The issue is that some folks don't know where to draw the line. Maybe they are too scared by that guy coming up from behind to say no. In this kind of economy, it's hard to say no. In fact, I know because there was a time when I was that scared guy, with a big mortgage and a young family and a demanding job. I attended a monthly weekend management meeting, which killed my Saturday. I answered the phone at all hours of the night to deal with "situations." I'd get to work early and stay late, to make sure my car was in the parking lot when the CEO would be checking. I'd travel on Sundays. I'd miss ballgames.

But I always had a line. I don't miss birthdays. I don't miss annual physicals for the kids. I don't miss school conferences. I certainly don't miss my wedding anniversary. Sure, I work for a small company and am responsible for my own schedule, so it's easier for me now. But I did the same stuff when I worked for bigger companies. I drew the line. If someone asked me to cross that line, then I said no.

I made my choices and maybe that adversely impacted my job security at certain jobs. I was OK with that. In reality, it was my sparkling personality that was a much bigger issue for my employers than my unwillingness to miss stuff at home. It's tough to find that balance, and I've struggled with it since I got married. To be clear, I work a lot, as do my partners Rich Mogull and Adrian Lane, but we work when it makes sense for our lives and our families. We're willing to lose the deal in order to win at the things that are more important to us. Rich blogged about his priorities a few weeks back. And we respect those priorities.

To further clarify, there are times when you need to do the work. Like when I was involved in the potential sale of my company. I worked late every night for two weeks and criss-crossed the country trying to get a deal done. Or if you do incident response and find the bad guys in your stuff, you work until the problem is solved. As long as that doesn't happen every week, it's fine. Again, you have to know where to draw the line.

And you know what else? I stopped worrying about the guy coming up from behind. He's always there. You need to accept that. There will always be someone trying to take your job, win your customers, break into your stuff, and steal your data. If they take my spot because I wasn't willing to fly somewhere and miss my kid's birthday, I'm OK with that. It's not a place I want to work anyway. It's not a customer I want to work with. You need to understand what you're willing to do and what you're not.

Making tough choices. Exercising free will. It's not easy, but instead of bitching about the unfairness of it all, maybe just say no. Set the boundaries and be clear with your employer and/or your customers about what you will and what you won't do. Understand they may choose to work with someone who will meet their unreasonable (in your opinion) expectations. And someday you'll realize you were better because they did. In the long run, you can win by losing.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18238
PUBLISHED: 2020-02-26
Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility ioLogik 2500 series firmware, Version 3.0 or lower IOxpress configuration utility, Version 2.3.0 or lower. Sensitive information is stored in configuration files without encryption, which may allow an attacker to a...
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...