Perimeter
8/26/2012
04:45 PM
Mike Rothman
Mike Rothman
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Winning By Losing

Employers and customers will take everything you have to give, and then ask for more. You can bitch about it, or you can say no -- the choice is yours

I have a good friend whose son plays baseball. The son just moved from rec ball at the local park to a pretty serious team. They practice four times a week, have a few optional (but not really optional) practices on the off days, and play in tournaments over the weekends a few times a month. The coach is a 20-year retired Air Force guy, and his approach is all about discipline, fundamentals, and achievement. Each of the kids needs to earn his way onto the field. Nothing is given to them.

Only 75 percent of the kids take the field in each tournament. The other kids sit and root for their teams. At first that seemed a little harsh because the kid is only 12. But when I heard about the focus on discipline and fundamentals and the opportunity to get on the field through hard work and performance, I get it. And I like it. Because that's the way life is.

Let's use an analogy from the NFL. This upcoming week is the last week of the off-season and that means roster cut downs. Some guys (maybe 50 percent of the preseason roster) have significant guaranteed money or are key veterans, so they'll make the team unless they get hurt. The other 40 fight for maybe 10 available spots on the 53-man roster. They've got to bring it in every practice and film study session. They earn their right to be on the field for the games through hard work and performance. If they don't perform, then you can bet there is someone else waiting to take their spot.

That's life. You always have someone coming up behind you, working his ass off every day to be where you are. If you don't meet your employer or customer's needs, someone else sure will. And you'll be gone. That's how market-based economies work, and that's not going to change.

What does this have to do with security? And why does this concept get me hacked off? Because some folks don't understand about making choices. A little Twitter fight broke out recently over the increasing trend to start conferences on Sunday. Obviously that impinges on the weekend and maybe on family time. Some folks whined about it. Others told them to stop whining, that it's not unreasonable to expect executives (warranting six-figure salaries) at times need to travel on Sundays. We've been talking about burnout in security for years. This isn't a new issue.

It's all about choices. I don't blame the conference organizers. If they can maximize revenue by having a day of training on Sunday, then why wouldn't they? If people are going to show up, then Mr. Market says to meet the demand. I don't blame companies that will take everything their employees have to give. And then ask for more. That's what companies do -- why is that a surprise?

The issue is that some folks don't know where to draw the line. Maybe they are too scared by that guy coming up from behind to say no. In this kind of economy, it's hard to say no. In fact, I know because there was a time when I was that scared guy, with a big mortgage and a young family and a demanding job. I attended a monthly weekend management meeting, which killed my Saturday. I answered the phone at all hours of the night to deal with "situations." I'd get to work early and stay late, to make sure my car was in the parking lot when the CEO would be checking. I'd travel on Sundays. I'd miss ballgames.

But I always had a line. I don't miss birthdays. I don't miss annual physicals for the kids. I don't miss school conferences. I certainly don't miss my wedding anniversary. Sure, I work for a small company and am responsible for my own schedule, so it's easier for me now. But I did the same stuff when I worked for bigger companies. I drew the line. If someone asked me to cross that line, then I said no.

I made my choices and maybe that adversely impacted my job security at certain jobs. I was OK with that. In reality, it was my sparkling personality that was a much bigger issue for my employers than my unwillingness to miss stuff at home. It's tough to find that balance, and I've struggled with it since I got married. To be clear, I work a lot, as do my partners Rich Mogull and Adrian Lane, but we work when it makes sense for our lives and our families. We're willing to lose the deal in order to win at the things that are more important to us. Rich blogged about his priorities a few weeks back. And we respect those priorities.

To further clarify, there are times when you need to do the work. Like when I was involved in the potential sale of my company. I worked late every night for two weeks and criss-crossed the country trying to get a deal done. Or if you do incident response and find the bad guys in your stuff, you work until the problem is solved. As long as that doesn't happen every week, it's fine. Again, you have to know where to draw the line.

And you know what else? I stopped worrying about the guy coming up from behind. He's always there. You need to accept that. There will always be someone trying to take your job, win your customers, break into your stuff, and steal your data. If they take my spot because I wasn't willing to fly somewhere and miss my kid's birthday, I'm OK with that. It's not a place I want to work anyway. It's not a customer I want to work with. You need to understand what you're willing to do and what you're not.

Making tough choices. Exercising free will. It's not easy, but instead of bitching about the unfairness of it all, maybe just say no. Set the boundaries and be clear with your employer and/or your customers about what you will and what you won't do. Understand they may choose to work with someone who will meet their unreasonable (in your opinion) expectations. And someday you'll realize you were better because they did. In the long run, you can win by losing.

Mike Rothman is President of Securosis and author of The Pragmatic CSO Mike's bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security, like protecting networks and endpoints, security management, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.