Perimeter
8/26/2012
04:45 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Winning By Losing

Employers and customers will take everything you have to give, and then ask for more. You can bitch about it, or you can say no -- the choice is yours

I have a good friend whose son plays baseball. The son just moved from rec ball at the local park to a pretty serious team. They practice four times a week, have a few optional (but not really optional) practices on the off days, and play in tournaments over the weekends a few times a month. The coach is a 20-year retired Air Force guy, and his approach is all about discipline, fundamentals, and achievement. Each of the kids needs to earn his way onto the field. Nothing is given to them.

Only 75 percent of the kids take the field in each tournament. The other kids sit and root for their teams. At first that seemed a little harsh because the kid is only 12. But when I heard about the focus on discipline and fundamentals and the opportunity to get on the field through hard work and performance, I get it. And I like it. Because that's the way life is.

Let's use an analogy from the NFL. This upcoming week is the last week of the off-season and that means roster cut downs. Some guys (maybe 50 percent of the preseason roster) have significant guaranteed money or are key veterans, so they'll make the team unless they get hurt. The other 40 fight for maybe 10 available spots on the 53-man roster. They've got to bring it in every practice and film study session. They earn their right to be on the field for the games through hard work and performance. If they don't perform, then you can bet there is someone else waiting to take their spot.

That's life. You always have someone coming up behind you, working his ass off every day to be where you are. If you don't meet your employer or customer's needs, someone else sure will. And you'll be gone. That's how market-based economies work, and that's not going to change.

What does this have to do with security? And why does this concept get me hacked off? Because some folks don't understand about making choices. A little Twitter fight broke out recently over the increasing trend to start conferences on Sunday. Obviously that impinges on the weekend and maybe on family time. Some folks whined about it. Others told them to stop whining, that it's not unreasonable to expect executives (warranting six-figure salaries) at times need to travel on Sundays. We've been talking about burnout in security for years. This isn't a new issue.

It's all about choices. I don't blame the conference organizers. If they can maximize revenue by having a day of training on Sunday, then why wouldn't they? If people are going to show up, then Mr. Market says to meet the demand. I don't blame companies that will take everything their employees have to give. And then ask for more. That's what companies do -- why is that a surprise?

The issue is that some folks don't know where to draw the line. Maybe they are too scared by that guy coming up from behind to say no. In this kind of economy, it's hard to say no. In fact, I know because there was a time when I was that scared guy, with a big mortgage and a young family and a demanding job. I attended a monthly weekend management meeting, which killed my Saturday. I answered the phone at all hours of the night to deal with "situations." I'd get to work early and stay late, to make sure my car was in the parking lot when the CEO would be checking. I'd travel on Sundays. I'd miss ballgames.

But I always had a line. I don't miss birthdays. I don't miss annual physicals for the kids. I don't miss school conferences. I certainly don't miss my wedding anniversary. Sure, I work for a small company and am responsible for my own schedule, so it's easier for me now. But I did the same stuff when I worked for bigger companies. I drew the line. If someone asked me to cross that line, then I said no.

I made my choices and maybe that adversely impacted my job security at certain jobs. I was OK with that. In reality, it was my sparkling personality that was a much bigger issue for my employers than my unwillingness to miss stuff at home. It's tough to find that balance, and I've struggled with it since I got married. To be clear, I work a lot, as do my partners Rich Mogull and Adrian Lane, but we work when it makes sense for our lives and our families. We're willing to lose the deal in order to win at the things that are more important to us. Rich blogged about his priorities a few weeks back. And we respect those priorities.

To further clarify, there are times when you need to do the work. Like when I was involved in the potential sale of my company. I worked late every night for two weeks and criss-crossed the country trying to get a deal done. Or if you do incident response and find the bad guys in your stuff, you work until the problem is solved. As long as that doesn't happen every week, it's fine. Again, you have to know where to draw the line.

And you know what else? I stopped worrying about the guy coming up from behind. He's always there. You need to accept that. There will always be someone trying to take your job, win your customers, break into your stuff, and steal your data. If they take my spot because I wasn't willing to fly somewhere and miss my kid's birthday, I'm OK with that. It's not a place I want to work anyway. It's not a customer I want to work with. You need to understand what you're willing to do and what you're not.

Making tough choices. Exercising free will. It's not easy, but instead of bitching about the unfairness of it all, maybe just say no. Set the boundaries and be clear with your employer and/or your customers about what you will and what you won't do. Understand they may choose to work with someone who will meet their unreasonable (in your opinion) expectations. And someday you'll realize you were better because they did. In the long run, you can win by losing.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.