Archive for the 'General' Category

Sep 14 2014

Limiting online time

Published by under Family,General

I limit online time.  Not for me, for my children.  Apparently I’m among a fairly prestigious group of people who do so, since many of the C-level execs in Silicon Valley also limit their children’s time with tech.  Though it looks like many of them are even stricter than I am about how much time the children get to interact with their computers.

We’ve always limited the amount of time our children can spend on the computer.  We found from an early age, they’d spend every waking moment playing games and surfing the internet if they could.  I wonder who they’re using as their role model?  When they got their first computer, one I’d rebuilt from parts of several of my older computers, we allowed them to have it in their room.  We found out quickly that was a mistake, as our youngest had taken to watching videos that contained language we didn’t want him using.  Ever.  Since then the computers have been in the computers have been in a common area where we could look over their shoulders whenever we wanted.

We have hard limits for when they’re allowed on the computer, which are probably not as strict as many of the parents mentioned in the times article.  The children often try to get around these limits by grabbing their iPhones or a tablet, but it’s made clear that these also count as time online and aren’t allowed.  We have hundreds of books, scattered around the house, and reading is always encouraged, no matter the time of day.  Now if we could only teach the youngest how to treat books with proper respect.

One thing we’re looking at changing is their use of social media.  Neither of the children have any social media accounts at all.  It’s not just that we don’t want them to have Facebook or Twitter accounts, it’s also that they’ve heard me talk about social media so much that they have decided on their own that it’s not worth it to have them.  They do have Skype accounts for keeping in touch with their friends back in the States and a few forum accounts, but these aren’t really ‘social media’ as I think of it, though maybe I’m wrong.

This might change in the near future, as our older has started expressing some curiosity towards social media and would like to experiment some.   As long as he understands his parents will be following him and watching who he interacts with, at least at first, I think we can allow him to try it.  I don’t want him to be like the guy who keeps a case of soda in his room because his parents never let him have it as a kid.  Instead we’ll let our children learn in a relatively safe environment, or at least one where we can intervene if we need to.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 07 2014

Is pay rising with demand in security?

If you follow me on twitter, you know I like to throw out questions occasionally just to stir things up.  On Friday I asked the following question about jobs in the security realm:

We keep hearing about how desperate companies are to hire infosec professionals. So how come we still see so many low ball salary offers?

This hit a nerve with quite a few people, many of who mentioned that besides having low salaries for the apparent demand, we also see low stature in the company and that while there’s a demand, companies still don’t see how paying a security professional leads to profit.  The conversations on twitter led to an interesting side road about how newcomers to the field are expecting huge salaries without having any experience at all.  But the most comprehensive response came from John Wood, who wrote a whole blog post about it rather than responding 140 characters at a time.

John sees the reasons as being a) the company doesn’t really care about security, so they’re just trying to get the lowest paid person they can, or b) they have no idea what the actual job market for security professionals is like in the real world.  If it’s ‘a’, I’d agree with John and say far away from the company; let someone who’s willing to suffer through a thankless job take the role on.  His suggestion for the second part is that you should talk to the hiring team and explain to them what salaries are like in the real world, then walk away until they’re willing to pay what you feel reasonable.  I’ve worked at a lot of companies in my career and I’ve never had this strategy pay personally, but maybe it has worked for others.

I see the effect of companies who just want ‘check box security’ a lot.  Having been a Qualified Security Assessor (QSA) dealing with PCI in a former life, I’m all to familiar with the concept.  I understand that most companies out there still don’t see that security has to be part of core processes in order to be effective and still see it as an impediment to be overcome rather than a selling point for the company.  Besides being directly responsible for the low salary offers, it’s reflected in the low stature the security team is often given within a company.  Of course, there’s the whole argument that we still don’t know how to speak ‘business’, but that’s a drum to beat another day.

Security as a core competency, as  business process that leads to more sales and greater profit is a hard sell and one that’s always going to be difficult to draw a direct correlation to.  I’m lucky in that I work for a company where security is a part of the discussion any time a product is sold, but how do you bring security into the conversation when you sell widgets?  It’s not easy, there are no simple answers and it’s something that each organization has to discover for itself.  The more we can make business aware that a good, well trained security team is essential to the health of the company, the more likely we are to see a willingness to pay salaries commensurate with the market rate for those roles. On the other hand, I’ve been told at a number of places sometimes there is no way of creating that linkage and security will always remain a check box for that company.

What about the new security professionals who are asking for high salaries with just an education and little or no experience?  That’s a hard one for me, since when I started in the security profession the only way to get a job was through experience.  I’d guess that it’s a dark reflection of the demand for security professionals; while in school the student hears again and again about how much demand there is and has unrealistic expectations once they graduate.  Or maybe they’re not that unrealistic after all, since at least some of them seem to get the salary they demand, even if they have to grow into the role they take on.

As a closing thought, one of my coworkers, Brian Sniffen, states

Only contractors are paid spot price. Salary is an annuity.

His point being that if you want the flexibility that creates a high end salary, you have to take the risks that a contractor does, including changing jobs regularly and having an uncertain stream of income.  In security, that risk is probably lower than in many careers, but it’s still a risk that’s there.  I’ve been a contractor and I’ve hopped jobs a lot in my career, which is another way to deal with the pay issue.  I’m not ready to do much of either in the near future, thank you very much.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Sep 04 2014

Congratulations, Rich

Published by under Family,General,Humor,Personal

Wow, it’s been seven years since Rich Mogull left Gartner and started Securosis.  I met him shortly before he took the leap, introduced by a mutual friend, Richard Stiennon.  I worked with Rich and a host of others to organize the first Security Bloggers Meetup at RSA, which is still going, and when I heard he was leaving Gartner, I invited him to participate in the Network Security Podcast with me, a partnership that lasted over six years.  He’s  a good person, a good friend, and someone I truly feel lucky to have met in the security community.

It’s interesting to see the progression any security professional makes in their career.  Many of us reach a certain level and seem to be content to rest there, while others never stop, never slow down and are never content with where they are now.  You can guess which of these two I believe Rich to be.  It’s heartening to see friends be successful, since one of the recurring themes in security is how we’re losing the war and burning out.  Seeing someone who’s still excited by their role, if not waking up in the morning, is a wonderful experience to behold.

Where were you seven years ago?  I was the security manager for a small company that had been in start-up mode for 12 years.  Now I’m living near London, working as Akamai’s Security Advocate for Europe and traveling the world over.  If I look at Rich as a benchmark, I feel a little inadequate sometimes.  But if I look at where I started versus where I am now, I’m happy, especially if I think about how much farther I can go.  I’m happy that my friends have been successful beyond my wildest dreams.

Congratulations on seven years of success to Rich Mogull and the rest of the team at Securosis.  You deserve the prosperity you’ve enjoyed over the years and I hope you have many, many more years of the same.  Just one thing:  Keep your pants on.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Aug 19 2014

A swarm of cars

Published by under General,Risk

It’s a given that we will have ‘intelligence’ in our cars within the next decade.  Quite frankly, there’s no way it is avoidable, given the appetite of consumers for 

all things to be connected to the Internet and too each other.  In the case of cars, it actually makes sense for them to be talking to each other.  But there’s one question: what will the unintended consequences be?

Earlier this week the National Highway Traffic Safety Administration (NHTSA) revealed plans to implement vehicle to vehicle (V2V) communication technology that allows one car to communicate with another and transmit information about location, speed of travel and direction of travel.  Basically, 10 times a second a V2V car tell other V2V enabled cars its exact location, where it’s headed and how fast it’s getting there.  The theory is that this would enable your car to warn you when someone is going to run the red light in front of you or is merging onto the highway in an unsafe manner near you.  Presumably this would also integrate into smart car technologies, enabling them to better fend for themselves in high traffic conditions, since they’d no longer have to solely rely on their own sensors in the decision making process.

I have a host of security concerns about the idea of V2V cars, since most of the manufacturers who are creating the Internet of Things have shown that security is their last concern, if they even think about it at all.  I can imagine the V2V system being used to track individuals every movement in a way that makes Orwell’s 1984 look Utopian.  The privacy implications of having a car that’s constantly beaconing its location are pretty severe and in all likeliness the ability to track individual cars will be mandated by law. I can also imagine someone breaking into the communications systems to cause chaos, either by targeting an individual vehicle with false information or by disrupting a segment of the network that V2V relies on.  At least there is someone else who’s thinking about the security concerns of interconnected vehicles, mainly I am the Cavalry and their Five Star Automotive Cyber Safety Program.

But what I find interesting in relationship to V2V is work that’s being done in swarm intelligence, as it relates to the idea of cars.  Researchers at the Harvard School of Engineering and Applied Sciences have developed a swarm of tiny robots that can self-organize into a number of shapes without needing a central controller to manage them.  The tiny little robots, Kilobots have very little intelligence (meaning computing power) individually and they don’t know much about their position as compared to the whole of the swarm, yet they manage to communicate with their peers in order to create organized shapes when they receive a command from the researchers.  They know where they are in relationship to other robot near them and they use this information as to figure out what their role should be forming the shape requested, rather than having some sort of central program with an overview of the whole telling them what to do.  

The swarm research that’s being done at Harvard is directly relatable to the V2V technology that (NHTSA) is doing.  Even if there is never a centralized tracking program implemented with V2V (which I posit there will be, it makes tracking easier for the government) there will be swarm behavior from these smart cars.  Swarm behavior already exists on our roads, it’s just that instead of a computer program making decisions, it’s human beings with limited awareness of the world around them.  We make the same sorts of decisions that V2V cars would be making constantly; we call it ‘driving’.  Most humans don’t have an overall view of the roads and what’s going on, though a lot of work has gone on to develop apps to give us this awareness of traffic.

Part of what makes a swarm of cars interesting, and a little scary, is the concept of emergent properties, or the idea that the whole is greater than the sum of its parts.  This is exactly what’s going on with the Kilobots, the emergent properties of their intelligence means that the whole is able to figure out how to form shapes without an individual Kilobot having to be told exactly where it’s place is in the grand scheme.  It’s up to the individual to do it’s best to conform to the needs of the whole to create the shape.  But while the emergent properties of the Kilobots was the end goal of the experiment, what happens when you design a swarm of cars without an emergent property in mind?

We’re in the beginning stages of understanding how a swarm does what it does.  How does a flock of birds really fly and wheel in unison?  How does a school of fish form and stick together?  How does a swarm of bees operate?  Maybe over the next 5-6 years we’ll have a better understanding of what makes these things work like they do, but will this understanding be applied to our vehicles?  The implications of a system of cars that have some sort of emergent property concerning how they enter, exit and move through traffic could be pretty severe, unintentionally creating gridlock and other safety concerns.  It could also work to alleviate the same gridlock in unforeseen ways, which makes the technology worth pursuing.

And then there’s the sci-fi concerns, ala Maximum Overdrive.  Swarm behaviors plus smart cars could create a series of emergent properties that make our cars decide that the safest option is to not get on the road in the first place.  Or that it’s better to be in the middle of the swarm and keep driving instead of getting off at the proper exit.  Or a hundred other scenarios that science fiction authors have explored in depth multiple times.  It’s not that this sort of ending is a certainty, it’s more that it’s a possibility that has to be explored and prevented, rather than dismissed as an impossibility.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jul 28 2014

“Your cons are just an excuse to drink and party”

Published by under General,Humor,Social Networking

I’m sure we’ve all heard it before when trying to get approval to travel to conventions:  “This is just a boondoggle and you’re going to party the week away!”  Many people believe that the only thing that gets done at security conferences is that a lot of alcohol gets consumed and people get silly at night.  If you go by some of the things we talk about publicly, it’s no surprise that managers might believe that.  While there’s a little bit of truth in accusations, the reality is that there’s so much more going on at conferences that we don’t talk about.  

There’s obviously the talks.  While I personally only attend two or three talks a conference, I know people who spend their entire day running from talk to talk and wish they had time to see more.  There’s a lot of research being revealed at Security Summer Camp, some of which is being seen for the first time there.  It’s valuable to know what’s up and coming, what’s new and interesting and what the trends are in the security field.  The talks given at conferences are one way to find out about all of these.

A second reason to attend conferences is the contacts.  Having connections amongst your peers is easily as important as having knowledge about your field when it comes to a career in security.  There’s too much going on to know everything, there are times when you’re going to need help, so creating and cementing the relationships that will help you over the course of a career are fundamental to your success.  This happens in the hallway track between sessions, this happens during lunches and dinners and this happens even more during the parties at night.  Conferences provide a means to be social with like minded individuals that simply doesn’t exist in many other venues.

And finally there’s the break from the daily routine to de-stress and relax a little.  We need to get away from the daily routine from time to time, it’s a fact of life and why we have vacations.  Conferences provide a similar function, but in addition they give us an opportunity to gain new perspectives on our routine and exchange ideas with others that can be incredibly valuable in dealing with the problems in our normal work environment.  That shift of focus can make all the difference in the world in how you tackle a problem when you return to the routine.

So, yes, the conference parties are what a lot of people think of when they hear us asking to go to a conference.  But they’re only a small part of what’s going on at the conference and even they serve an important role as a social lubricant.  Of course, that’s assuming that you’re safe and sane when drinking and don’t do something that’s going to get you in deep trouble back at the office.  There’s always a few people who don’t know when to stop at every conference.  Don’t be ‘that guy’.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jul 27 2014

Balancing digital privacy

Published by under General

I had an interesting conversation with a relative this week about privacy.  Which is, of course, why I’m writing about it on the blog.  The irony of the situation doesn’t escape me.  

“I’ve been listening to you and it’s made me very careful about what I put on the Internet.  I have almost no digit presence, I’ve used very little social media and what few accounts I do have are under pseudonyms, with no direct link to me.  When I do a Google search on my name, it turns up a few hits on me, then the rest of the results are of you and and a friend of yours who shares my name.  The few results about me that do turn up are from competitions I was in when I was younger and I’m not directly tagged in any of the pictures.”

First of all, it’s good to know my family is listening, or at least one member of my family is.  They understand the importance of limiting what you make available on the Internet and have consciously taken steps to make sure that only the information that’s available is data they’ve decided is unavoidable and necessary.  But I have to wonder if they haven’t taken my advice too far and limited their footprint too much.

In this day, it’s important to have a presence on the Internet.  We know that businesses hiring new employees, colleges looking at potential candidates and even the people you might date or meet with search the Internet to learn about us as part of the process of dealing with strangers.  And while leaving a digital trail that’s littered with detritus about when we got drunk or stupid is a negative, having no evidence that you existed on the Internet is nearly as bad to some people and organizations.  If there’s nothing out there about you, while you may not have done anything wrong, there’s no evidence you’ve done anything right either.  And some people take a lack of presence as evidence that you’ve been up to no good.

My suggestion to my relative was to carefully cultivate a digital presence.  Make some of the positives of what you do available for people to find.  Use social media sparingly, but maintain a presence.  It’s okay to have opinions and put yourself out there, as long as you’re aware that what you say will be searchable for the foreseeable future of the Internet.  Be a real person, but be a person who controls the image they present to the world.  I was very careful to also point out that I might not be the best example of limiting your presence.

The conversation degenerated from there into creating a ‘digital persona’, a search engine friendly front that presents exactly what you want to the world and nothing more.  We all wondered about the ethics of creating a persona that’s carefully crafted for future job searches and dating.  No one in the family had a good answer for that one.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

Jul 13 2014

Impostor syndrome

Published by under General,Personal

What am I doing here?  When are they going to realize I don’t know what I’m doing?  How long until they fire me for faking it?  I don’t belong with these people, they’ve actually done something, while nothing I’ve done is remarkable or interesting.  I’m not worthy of this role, of being with these people, of even working in this environment.  I’m making it up as I go along and nothing I could do would ever put me on the same level as the people around me.  How did I end up here?

I know I’m not the only one who has these thoughts.  It seems to be common in the security community and not uncommon in any group of successful people.  It’s called ‘impostor syndrome‘ and it’s often considered a sub-set of the Dunning-Kruger effect.  Basically it’s a form of cognitive dissonance where a successful person has a hard time acknowledging his or her success and overemphasizes the many mistakes everyone makes on a daily.  To put it simply, it’s the thought we all have from time to time that “I’m not good enough” writ large.

It’s not hard to feel this way sometimes.  In security, we create heroes and rock stars from within our community.  We look at the researchers who discover new vulnerabilities and put them on a stage to tell everyone how great their work is.  We venerate intelligence, we stand in awe of the technical brilliance of others and wish we could do what they do.  We all tend to wonder “Why can’t I be the one doing those things?”

It’s easy to feel like this, to feel you’re not worthy.  We know the mistakes we made getting to where we are.  We know how hard it was, how rocky the road has been, where the false starts and dead ends are and all the things we didn’t accomplish in getting to where we are.  When we look at other people we only see the end results and don’t see all the trials and tribulations they went through to get there.  So it’s all to common to believe they didn’t go through exactly the same road of mistakes and failure that we did.  As if they don’t feel just as out of their depth as we do.

I don’t think there’s a cure for impostor syndrome, nor do I think there should be.  We have a lot of big egos in the security community and sometimes these feelings are the only thing keeping them from running amok.  The flip side of impostor syndrome, illusory superiority, the feeling that you have abilities that far outstrip what you actually have, is almost worse than thinking your an impostor.  And I’d rather feel a little inadequate while working to be better than to feel I’m more skilled than I am and stop working to get better.

If you feel like an impostor in your role as a security professional, I can almost guarantee you’re not.  The feeling of inferiority is an indicator that you think you’re capable of more and want to be worthy of the faith and trust those around you have put into you.  You might be faking it on a daily basis, making things up as you go, but the secret is that almost all of us are doing the exact same thing.  It’s when you know exactly what you’re doing day in and day out that you have to be careful to fight complacency and beware of illusory superiority.  It’s better to think you’re not good enough and strive for more than to think you’ve made it and are the best you can be.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Mar 05 2014

DDoS becoming a bigger pain in the …

Published by under Cloud,General,Hacking,Risk

I’m in the middle of writing the DDoS section of the 2013 State of the Internet Report, which is something that makes me spend a lot of time thinking about how DDoS is affecting the Internet (Wouldn’t be all that valuable if I didn’t put some thought into it, now would it?).  Plus I just got back from RSA where I intereviewed DOSarrest’s Jag Bains and talked to our competitors at the show. Akamai finally closed the deal on Prolexic about three weeks ago, so my new co-workers are starting to get more involved and being more available.  All of which means that there’s a ton of DDoS information available at my fingertips right now and the story it tells doesn’t look good.  From what I’m seeing, things are only going to get worse as 2014 progresses.

This Reuters story captures the majority of my concerns with DDoS.  As a tool, it’s becoming cheaper and easier to use almost daily.  The recent NTP reflection attacks show that the sheer volume of traffic is becoming a major issue.  And even if volumetric attacks weren’t growing, the attack surface for application layer attacks grows daily, since more applications come on line every day and there’s no evidence anywhere I’ve ever looked that developers are becoming at securing them (yes, a small subset of developers are, but they’re the exception).  Meetup.com is only the latest victim of a DDoS extortion scam, and while they didn’t pay, I’m sure there are plenty of other companies who’ve paid simply to make the problem go away without a fuss.  After all, $300 is almost nothing compared to the cost of a sustained DDoS on your infrastructure, not to mention the reputational cost when you’re offline.

I’d hate to say anything like “2014 is the Year of DDoS!”  I’ll leave that sort of hyperbole to the marketing departments, whether it’s mine or someone else’s.  But we’ve seen a definite trend that the number of attacks are growing year over year at an alarming rate.  And it’s not only the number of attacks that are growing, it’s the size of the volumetric attacks and the complexity of the application layer attacks.  Sure, the majority of them are still relatively small and simple, but the outliers are getting better and better at attacking, Those of us building out infrastructure to defend against these attacks are also getting better, but the majority of companies still have little or no defense against such attacks and they’re not the sort of defenses you can put in quickly or easily without a lot of help.

I need to get back to other writing, but I am concerned about this trend.  My data agrees with most of my competitors; DDoS is going to continue to be a growing problem.  Yes, that’s good for business, but as a security professional, I don’t like to see trends like this.  I think the biggest reason this will continue to grow is that it’s an incredibly difficult crime to track back to the source; law enforcement generally doesn’t have the time or skills needed to find the attackers and no business I know of has the authority or inclination to do the same.  Which means the attackers can continue to DDoS with impunity.  At least the one’s who’re smart enough to not attack directly from their own home network, that is.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 21 2014

Faking Safe Harbor compliance

Published by under General

If you’ve ever had to deal with data privacy laws, then you’ve probably heard of the EU Safe Harbor framework.  These are basically a set of 7 basic guidelines (Notice, Choice, Onward Transfer, Security, Data Integrity, Access & Enforcement)  that govern how any US company doing business in the EU will treat private information.  Doesn’t sound too bad, but the reality is that Safe Harbor is a bit of a pain to comply with, since there are different interpretations of the rules for nearly every country in the EU.  The rules in one country, say Italy, might be relatively short and easy to understand, while the rules in another, maybe Germany, might be long, complex and convoluted.  The general outline is the same for all countries, but they get to decide their own specific implimentations.  You can see that this might make it a little hard to comply with the Safe Harbor framework, even though the laws all orginate from the same framework

So it doesn’t surprise me too much to find out that the Federal Trade Commision has announced that a dozen companies, including Level 3 and a few football teams (??), have violated the Safe Harbor rules.  According to Gigaom, the violations are technical in nature, rather than being willful violations.  This means they were probably tracking visitors using cookies in the wrong way or retaining information about their clients they shouldn’t have.  It wouldn’t take much, since in some countries an IP address can be considered privately identifiable information (PII) and retaining that information would be a violation.  On the other hand, I can fully believe that companies such as the accounting firms named in the violoations knew they were keeping information they shouldn’t, but had to in order to perform the roles they’re paid to do.  

I believe one of the points that’s easy to miss in the article is probably the most important: “US companies have been deceiving people by using out-of-date certification marks”.  In other words, these companies at one time had been self-certified or audited by a third-party, but let this lapse and continued to do business and sell products by stating they were Safe Harbor certified.  If the FTC did an audit of their own records, made a list of the organizations that let their certifications and then investigated those organizations, it would explain why these people made the list.  It would also be a warning shot across the bow for other companies that have let their compliance lapse, and an indicator that there are a lot more companies that might be facing scrutiny in the future.  If your company has Safe Harbor responsibilities, I’d definitely review your own compliance level.

I can almost guarantee that Safe Harbor will be getting a lot more attention this year than it has in the past.  The US is, and will be for some time to come, under the microscope by EU governments and organizations.  The NSA efforts uncovered by Snowden make this a given, just as they make the handwaving by the FTC a given.  This probably marks the first time that the FTC has taken Safe Harbor seriously in quite some time, but it won’t be the last.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 05 2014

Much needed vacation

Published by under General,Personal,Risk

I’m back after a two week self-inforced haitus from all things security and work related.  For the last 14 days, I haven’t checked emails, I haven’t been on twitter, I haven’t checked the news, I haven’t read the news sites.  I’ve simply spent time with my family, played Minecraft, watched anime and eaten my way through the Christmas holidays.  And there was gifts in there somewhere as well.  Vacation started as a weekend in Munich, but the vast majority of it was spent at home near London with no deadlines, except a couple of shopping trips with the wife and kids.  All in all, it was one of the most relaxing times I’ve had in years.  And it was sorely needed.

All jobs are stressful to one degree or another, it’s just a fact of life.  But security is a more stressful job then most.  I’ve done a few panels with other security professionals talking about the stress we face, and we’ve done (okay, mainly folks like Jack Daniel and K.C. Yerrid have done) some research into it and found that our high stress is an actual fact, not just something we say to make ourselves feel more important.  Our chosen career is difficult to be good at, we’re constantly under multiple conflicting demands and it almost never slows down.  Is it any wonder that we feel stressed?

It’s almost a joke when you talk to security professionals about substance abuse in our industry.  It’s nearly expected of people to get stupid at conferences.  But it’s not a joke at all, something that was graphically illustrated by the loss of Barnaby Jack last year.  Substance abuse may not be an industry wide problem, but it’s definitely something that we need to be aware of.  I can think of at least half a dozen people who I’ve jokingly made comments about in the last couple of years who might be in real danger.  Most of them know they can come to me if they need support, but I know that’s the best I can do if they don’t want to change.  How many people do you know in a similar position?  Have you expressed concern or at least let them know you will help if they ask?

It’s not my place to get preachy or say I’m any better than anyone else, but I do think we need to be aware and check our own stress levels from time to time.  Let your friends in the industry know you’ll support them if they need help, but more importantly, know when you need to take a break and get away from the  whole scene once in a while.  We do important work, but we can’t do it if we’re too wrapped up in our own problems to function properly.  

Now to get caught up on two weeks of work emails.  Luckily, most of my co-workers took the Christmas holidays off, at least in part, so it won’t be quite as bad as it could be.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Next »