Perimeter
8/26/2012
04:45 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Winning By Losing

Employers and customers will take everything you have to give, and then ask for more. You can bitch about it, or you can say no -- the choice is yours

I have a good friend whose son plays baseball. The son just moved from rec ball at the local park to a pretty serious team. They practice four times a week, have a few optional (but not really optional) practices on the off days, and play in tournaments over the weekends a few times a month. The coach is a 20-year retired Air Force guy, and his approach is all about discipline, fundamentals, and achievement. Each of the kids needs to earn his way onto the field. Nothing is given to them.

Only 75 percent of the kids take the field in each tournament. The other kids sit and root for their teams. At first that seemed a little harsh because the kid is only 12. But when I heard about the focus on discipline and fundamentals and the opportunity to get on the field through hard work and performance, I get it. And I like it. Because that's the way life is.

Let's use an analogy from the NFL. This upcoming week is the last week of the off-season and that means roster cut downs. Some guys (maybe 50 percent of the preseason roster) have significant guaranteed money or are key veterans, so they'll make the team unless they get hurt. The other 40 fight for maybe 10 available spots on the 53-man roster. They've got to bring it in every practice and film study session. They earn their right to be on the field for the games through hard work and performance. If they don't perform, then you can bet there is someone else waiting to take their spot.

That's life. You always have someone coming up behind you, working his ass off every day to be where you are. If you don't meet your employer or customer's needs, someone else sure will. And you'll be gone. That's how market-based economies work, and that's not going to change.

What does this have to do with security? And why does this concept get me hacked off? Because some folks don't understand about making choices. A little Twitter fight broke out recently over the increasing trend to start conferences on Sunday. Obviously that impinges on the weekend and maybe on family time. Some folks whined about it. Others told them to stop whining, that it's not unreasonable to expect executives (warranting six-figure salaries) at times need to travel on Sundays. We've been talking about burnout in security for years. This isn't a new issue.

It's all about choices. I don't blame the conference organizers. If they can maximize revenue by having a day of training on Sunday, then why wouldn't they? If people are going to show up, then Mr. Market says to meet the demand. I don't blame companies that will take everything their employees have to give. And then ask for more. That's what companies do -- why is that a surprise?

The issue is that some folks don't know where to draw the line. Maybe they are too scared by that guy coming up from behind to say no. In this kind of economy, it's hard to say no. In fact, I know because there was a time when I was that scared guy, with a big mortgage and a young family and a demanding job. I attended a monthly weekend management meeting, which killed my Saturday. I answered the phone at all hours of the night to deal with "situations." I'd get to work early and stay late, to make sure my car was in the parking lot when the CEO would be checking. I'd travel on Sundays. I'd miss ballgames.

But I always had a line. I don't miss birthdays. I don't miss annual physicals for the kids. I don't miss school conferences. I certainly don't miss my wedding anniversary. Sure, I work for a small company and am responsible for my own schedule, so it's easier for me now. But I did the same stuff when I worked for bigger companies. I drew the line. If someone asked me to cross that line, then I said no.

I made my choices and maybe that adversely impacted my job security at certain jobs. I was OK with that. In reality, it was my sparkling personality that was a much bigger issue for my employers than my unwillingness to miss stuff at home. It's tough to find that balance, and I've struggled with it since I got married. To be clear, I work a lot, as do my partners Rich Mogull and Adrian Lane, but we work when it makes sense for our lives and our families. We're willing to lose the deal in order to win at the things that are more important to us. Rich blogged about his priorities a few weeks back. And we respect those priorities.

To further clarify, there are times when you need to do the work. Like when I was involved in the potential sale of my company. I worked late every night for two weeks and criss-crossed the country trying to get a deal done. Or if you do incident response and find the bad guys in your stuff, you work until the problem is solved. As long as that doesn't happen every week, it's fine. Again, you have to know where to draw the line.

And you know what else? I stopped worrying about the guy coming up from behind. He's always there. You need to accept that. There will always be someone trying to take your job, win your customers, break into your stuff, and steal your data. If they take my spot because I wasn't willing to fly somewhere and miss my kid's birthday, I'm OK with that. It's not a place I want to work anyway. It's not a customer I want to work with. You need to understand what you're willing to do and what you're not.

Making tough choices. Exercising free will. It's not easy, but instead of bitching about the unfairness of it all, maybe just say no. Set the boundaries and be clear with your employer and/or your customers about what you will and what you won't do. Understand they may choose to work with someone who will meet their unreasonable (in your opinion) expectations. And someday you'll realize you were better because they did. In the long run, you can win by losing.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.