Apr 14 2011

Feeling one-dimensional

Published by at 5:19 am under Blogging,General

I fell a bit guilty sometimes when I look at my own blog.  When I started blogging oh-so-many years ago, I’d blog at least daily, often two to three times a day depending on the time I had and what interesting stories I could find as the day went by.  Also depending on what my workload was, which was fairly light when I started, since monitoring an IDS really isn’t that hard once you’ve got things properly tuned.  The blog was a new toy that I wanted to play with as much as I could and there were a lot of ideas I wanted to explore back then.  But the shine has long since worn off of the toy.

Fast forward to now and I often go a week or more without a new blog post.  Sometimes the only post for the week is a link to the podcast, and some weeks even that doesn’t happen due to travel schedules.  So I’ll look at the site and feel bad because nothing’s been written, try to come up with anything and either walk away because I can’t come up with an idea or write something I don’t publish because, honestly, I sometimes write a pile of steaming crud that I don’t think should be inflicted on anyone.  These have some value, because they clear my mind a little, but you shouldn’t have to read them.

But the biggest problem I have with writing is that some days I feel like I only have one subject to write on, which is, you guessed it, PCI.  It’s an important subject, I have a fair amount of experience in it and I have points that have value and should be shared with the folks who come to the blog.  But it feels like I have been having the same conversation for a few years now, and I know that if I’m boring myself with the talk, I have to be boring others with it as well.  And if there’s one cardinal sin in writing, it would be boring your reader. 

I’m not sure there’s a solution for this problem, or at least not an easy one.  PCI is what I do for a living, I’m immersed in it 40-60 hours a week.  It’s hard to get out of the mindset of compliance.  The PCI requirements haven’t changed significantly in years, despite the fact that 2.0 came out last year.  And it’s not going to be changing again for at least three more years.  It’s not exciting, it’s not sexy and there’s not a lot of news that’s coming out about PCI.  Unless you consider all the breaches that is.

It’s a little depressing to be so one-dimensional, to not have a breadth of subjects to talk about.  And even within PCI there are some subjects and events I can’t write about because either my employer is involved, therefore I’m involved indirectly or because I’m involved directly and would be incredibly stupid to make any comment on the situation at all.  To be fair, no one I work with has editorial rights on my blog or any say in what I write about here, but I have a healthy sense of self-censorship.  I like my employer and am in no hurry to do something that would get me in hot water in a hurry.  I figure this is simply a factor of growing up and taking responsibility, not a constraint laid on me by someone else.

I’m not sure there’s a solution at the moment, but I’m open to suggestions.  I’ve started to branch out a little in my non-work hobbies; I’ve picked up a bunch of Arduino stuff and I’m working with the kids to learn more about electronics and to brush off some long neglected programming skills.  I’m also starting to talk to other security professionals I respect about long term career goals.  I often wonder how I got where I am in my career and rather than continuing to trust in the luck that got me here, I’m starting to lay some of the groundwork that will be needed to take me to the next level.  You’d be surprised how much good advice you can get if you just take the time to ask for it.  But neither of these is really at a point where I can write about it and I’m not sure this blog is the place to talk about Arduino in any case.  Career advice, yes, at least once I’ve digested enough of the wisdom folks I’ve been talking to.  Which could be a while, since this is something that I’m a little slow in assimilating.

I’m sure I’m not the only one who’s run into this issue.  I know from the comments I receive from time to time that I’m not the only one who thinks the blog has become one dimensional.  I think the proper term is ‘stuck in a rut’.  How have you broken out of your own rut in the past?  How have you broadened your skill set or interests so that you’re not a one trick pony?  Am I fretting over something that’s a non-issue and should stop whining and go back to writing about PCI and be happy I have something I’m, well, if not an expert, at least experience in?  I’m curious how others feel about running into the same problem and would like to hear from you.


[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “Feeling one-dimensional”

  1. Peteron 14 Apr 2011 at 1:19 pm

    I discovered this blog originally because it was more about general computer and network security than PCI, but I’m not really bothered by the change. I personally have no particular interest in PCI, so my overall interest in the blog is diminishing, but I’m probably not your target audience. If you are knowledgeable about PCI (and it seems like you are) why not have this be a vehicle for your knowledge and self promotion of that knowledge. As a long-time reader, I remember there being a time when you were moving around from job to job pretty frequently. This blog could be a way for future employers and/or customers to see how knowledgeable you are.

    There are plenty of resources out there about general computer security and plenty of blogs about what people had for lunch. It’s far more interesting (to me) to read about a subject from someone who really knows what they are talking about and is clearly passionate about the field and improving the overall industry.

    You can certainly throw in side stories now and then, but becoming the go-to resource for PCI doesn’t seem like a bad idea to me.

  2. Adamon 28 Apr 2011 at 11:43 am

    It was reading this blog and one or two others which actually gave me the kick up the behind to go along the same lines, by no means to compete with any IT Security website/blog already out there, but to complement the very few of any use which I found out there this time last year and see what I could bring to the party whilst developing my own abilities and experience within the IT Security/Digital Forensics industry.

    There are plenty of Twitter feeds and a handful of Facebook groups, but nothing which is streamline and regular. It was mckeay.net which introduced me to the likes of the network security podcast, which, as someone both studying and working, helps me catch up on the latest IT Security news from the week in one place.

    Even with forhacsec.com being only a few months old, I have found myself wondering whether to post something which I spent all evening writing or not. In some cases I do post, in others, I wait for a more appropriate time.

    At a time where I found myself in a rut, I ended up developing the site from a blog in to a resource pool, with links, downloads, discussion areas etc, just to see where I could it too, whilst balancing being able to manage it and keep it up to date.

    Going back through your archives, given that on average they have in excess of 20 posts a month, I’m sure you’ll get out the rut soon enough.

  3. Alex Scobleon 11 Jul 2011 at 1:35 pm

    Yep, I agree. It can be hard to find interesting things to talk about on a regular basis, particularly in this business where it’s best to not talk about what’s going on where you work, or where you have to sanitize things so much as to obfuscate the real value of what you are trying to share.

    You can certainly also get completely burnt out on the whole thing. Back when I was blogging for Computerworld where we first “met”, finding things to blog about on a daily basis became so time consuming and stressful that I eventually just gave up. Couple that with the death of my mom and I stopped blogging for something like three years.

    What is an IT professional like yourself to do? For one thing, I wouldn’t worry about it too much. You’ve built up an impressive “resume” of content already, so if you slow down a bit, well, you deserve a break. When you do feel like blogging, look within your archives to see what parts of PCI you’ve covered really well and what you haven’t. Since most businesses that fail tend to fail with the logging piece of it, perhaps start there if you haven’t already talked about that to death. Or talk about log management and SEIM just in general.

    Have you talked lately about how security by appliance isn’t security at all? Most CIOs, CSOs and other execs really need it driven home again and again that spending cash on appliances without also investing in workforce to deal with the resulting reports is throwing money down the drain.

    How much have you talked about incident management or business continuity? Maybe those aren’t your strong suits, or maybe they are, but those are other good topics to cover.

    Can you think of any tools, technologies, or areas that you’d like to research further? I’m sure you can mine that for plenty of blog material. I saw your post about Minecraft and the cloud, so I bet that there’s plenty of fodder for you to talk about how to deal with security in the cloud (even though you already have for PCI purposes a bit).

    What about the recent spate of big time security failures at Sony and elsewhere? What sorts of illuminating thoughts or ideas do you have regarding that sort of thing?

    I could go on, but I mostly think you have it covered and just had the typical twinge of blogger’s angst.

    Anyhow, keep on writing. We’ll keep reading.

%d bloggers like this: