(Note: To be up front, two things to bear in mind: 1) Yes, my talk was selected for this track. 2) I started this piece before selections were announced but held off on publishing until after selection announcements were made as I wanted to see how things played out.)

For the first time, the RSA Conference US 2015 has added a track for crowdsourced talks (original announcement). This track provided an opportunity for submissions to be voted on by the population at large (not just registered attendees), which I found to be very cool. For me, it provided a great opportunity to see if my proposed talk title resonated with people.

Overall, I'm very excited about this opportunity and advancement. The process wasn't perfect by any means (see Britta Glade's reflective post on changes for next year), but overall the outcome appears to me to be a good selection of new talks.

Of course, there were a couple nits, including active ballot stuffing (see one submitter's "theoretical" description - unsurprisingly, his 4 talks held top-5 ranking on the leaderboard throughout voting... and he's not on the final speaker list).

What I found most egregious, however, was the dearth of vendor talks, many of which failed to even try to appear like something other than shilling (I mean, come on Ken Levine, do you seriously expect us to believe you'd give a talk on "why DLP sucks" and not distinguish "except for my company" given your position as CEO of a DLP company?). This is why we can't have nice things. What was created as an opportunity for talks to be included in the program that might not otherwise get noticed or accepted ended up looking like a race between vendors to see who's marketing team and customer base could stuff the ballot box better. *sigh*

The good news is that the judges did an excellent job following-through and making sure that selected talks represent a reasonable value proposition (no shilling!) for attendees. Big kudos to the judges for not being afraid to dive down into the vote rankings to pull out what appears to be a really awesome list of presentations (here's the final list).

Now it's up to attendees to help make this track truly successful! I hope that everyone registered to attend the confernece will come spend some time in the crowdsourced track to support speakers, whether you voted for them or not. If you want to have your voices heard, then participation and support for innovating new approaches is critical!

I look forward to catching up with everyone in San Francisco. I'll be there Tues-Thurs (including, of course, speaking at 9:10am PT on Thursday). Ping me on twitter (@falconsview) if you want to coordinate crossing paths. :)

RSA 2015: A Quick Trip

Just a quick note, mainly to let you all know that I'm still alive and that this blog will start having content again soon. First, though, I'm finishing getting up-to-speed on things in my new gig with K12.

In the meantime, I am pleased to announce that I will be at RSA US 2015 in April, at least for a few days. I'm flying out to San Francisco on Tuesday, April 21st, and will plan to stay through at least Thursday, if not Friday morning.

Toward that end, you can help me out (a LOT) by voting for my crowdsourced talk submission. To read full details and indicate your support (please!:), go here: Automate or Die! How to Scale and Evolve to Fix Our Broken Industry.

Leaving Gartner, Joining K12

Today, Friday the 13th, is my last day with Gartner. I've been onboard for almost exactly 21 months now and have learned quite a few things about how the analyst world works. But... it's time for a change. It's time to get back to more of a field role where I can feel like I'm making a difference, seeing the needle move little by little. This is something you don't typically get to see as an analyst because, out of the hundreds of interactions you have each year, /maybe/ 10% result in some form of feedback, and only a small portion of that feedback is particularly meaningful.

On Monday I start my new role as security architect with a local, public company - K12. They're a leading provider of online education services, which I find interesting and exciting. In many ways, this will be a green field opportunity for me, working as part of an enterprise architecture (EA) team as they pivot into more of a DevOps style approach. More than anything I'm greatly looking forward to getting back to more hands-on work where I can see the fruits of my labors.

I'll be reviving this blog in the coming weeks as I start to get my feet wet with various projects. I'll also be putting up a couple retrospective posts about my time as an analyst. I've received a handful of queries from folks interested in working for the company, and so one of these posts will specifically target that audience.

Overall, I'm very much looking forward to the new opportunity! I can't wait to see how well my theories play in the real world. There are lots of exciting options to be pursued here, ranging from security analytics to risk analytics to SecDevOps automation. :) Now to see what sticks and what doesn't!! :)

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: Recent GTP Security Research

From November 2014...

Before resuming delving into any philosophical meanderings about infosec or info risk mgmt, I wanted to first highlight some recent research for you all. All of the following require a GTP subscription (go here to contact us if you're interested in getting access).

Continue reading here...

GBN: Updating GTP's DLP Coverage

From November 2014...

It's been a couple years since the last update of our DLP coverage. In the process of updating it this go-round, I'll be taking the reins from Anton Chuvakin and picking up primary coverage of DLP for the SRMS team. In addition to revising the existing documents (Enterprise Content-Aware DLP Solution Comparison and Select Vendor Profiles and Enterprise Content-Aware DLP Architecture and Operational Practices - GTP subscription required), we'll also be spinning off a foundational document that can be referenced when getting started with a project.

Continue reading here...

On Depression and Burnout...

Preface: Screw the taboo, I'm gonna talk about this! Rarely, if ever, are we able to talk about "uncomfortable" topics like depression, but they're real, they're serious, and I would wager that if we would just talk about these things a little bit, then others who are going through (or have gone through) similar experiences might find some comfort.

There are few things that feel so good as returning to a normal life of happiness after suffering through a bout of depression. Thankfully, for me, such things are a rare occurrence, but I know that for some it's an ongoing struggle. The last time (prior to this Summer) that I dealt with depression was 2002 when I moved across country from Montana to Harrisburg, PA, leaving my wife behind because we couldn't afford to make a full move, seeing her once in ~5 months. Back then, it might have been the loneliness, the constant state of being broke, or maybe just general diet and exercise issues (or a combination of them all), but it was my first time dealing with depression, and it wasn't really until some months after emerging from that dark state that I even realized what it was I'd been going through.

This Summer marked a return to that dark place, and lemme tell ya, it was not enjoyable. Thank goodness for a tolerant and understanding wife and a handful of amazing friends who didn't give up on me and helped me find the light at the end of the tunnel. I don't know what it was that put me into the funk. I had returned home from 4 weeks on the road, 2 of which being spent on vacation with the family. I came back to an empty house, having left the wife+kids behind in Minnesota to visit with the extended family. I was absolutely dreading the 2nd week of that 2-wk period because I knew I wasn't going to be able to keep myself busy. I digress...

As I said, it's unclear what the trigger was... Was it the prospect of loneliness? Was it exhaustion from all the travel? Was it exhaustion as I recovered from pneumonia (diagnosed in late June)? Was it a result of no exercise and a complete breakdown in my diet? Was it work stress? Was it something else altogether? I'll never know for certain, but what I do know is this: It sucked, it was miserable, and it happens to more people than you might realize.

For those who don't perhaps know me all that well, I'm an extrovert. I thrive off being around people. I need socialization for my energy. I also try very hard to be a nice guy. I like joking with people, teasing people, and just generally trying to be fun and funny. While I'm not obsessed with being liked by everyone, I am cognizant of the emotional aura people project toward me, and - depending on the day - that may influence me one way or the other in terms of general happiness.

The point here, though, is that I'm not naturally a frump (despite what some might think after pointed email exchanges). I'm generally full of energy and try to push forward through concerns, challenges, etc, etc, etc. So, when I fell into the pit of despair, suffice to say that it swallowed me whole and threatened to keep me forever.

If you've not dealt with depression, then here's an idea of what it's like:

  • You have no energy whatsoever. Even the most minor/trivial of tasks (including eating and sleeping!) are exhausting and often seem insurmountable. Getting out of bed is nearly impossible. You want to sleep all the time. Yet, contrary to this feeling, you can't sleep, or at least your sleep is incredibly uneasy and non-restful/non-recuperating.

  • Everything is shit. If you've heard the phrase "viewing life through rose colored glasses," then shift that to being "through black-death-tinted glasses." All the positives in life? Gone/forgotten. Ever had fun? Can't recall. The job? It sucks. Life? It sucks. Friends? Meh. Family? Meh. You believe, truly and deeply, that your life has been a waste, that you're just taking up space+resources on this planet, and you just don't think you belong anywhere. (If you're not seeing where this line of thinking potentially goes, then you're not trying hard enough.)

  • Everything is a failure. Related to the last point, but noteworthy... nothing you do is good/successful/worthwhile. Reaching out to friends? Fail. At best, they tolerate you, and at worst they hate you. Trying to relate to family? You're misunderstood and unloved. Trying to do your job? You suck and are on the verge of being fired. Note that this all applies to perceptions and not to reality. Perception is so much more important and powerful than reality... as we see time and time again with depression, politics, and mass marketing...

The key points to all of this is that the harsh, dark feelings are very, very, very real to the person experiencing them, no matter what reality may actually be. And, no matter what you (as friend or family) say, there's really no changing these feelings, which can be /incredibly/ frustrating for friends and family. For more on what it's like being depressed, see this excellent article on Huffington Post, "9 Things Only People With Depression Can Truly Understand," which perfectly captures some of the feelings and challenges associated with depression.

Soooo... how did I finally snap out of it? Honestly, I don't know for certain, but I have a few ideas...

  • First and foremost, my wife and close friends continued to provide support throughout the episode without deriding me.

  • Second, I got my diet and exercise back on track (this was hugely important with the 2002 episode as well).

  • Third, work-related stress abated (a little bit, anyway). In part, this came from a former manager telling me "Ben, you're a good analyst." Just being told this phrase (backed by performance numbers) did a world of good as up to this point I'd felt like I was failing completely. I also finally broke-through on a project that had been plaguing me the entire time, though the breakthrough could arguably be linked to my recovery, too.

  • Fourth, better quality sleep returned. I think this relates significantly to diet and exercise.

  • Fifth, my T levels bounced back dramatically (see this article about the impact of low T in men, often contributing to depression). This may seem like a trivial thing, but it plays heavily into energy levels, at least for men.

Breaking free from the funk is a wonderful feeling. Sure, it hasn't been all sunshine and puppy dogs since the initially breakthrough, but for the most part things have been fine. There are still down days, and I feel very vulnerable to getting tipped back into the pit of despair (as nearly happened on Sunday/Monday after receiving a rude email at work). But, for the most part... things are better.

It's really a hard sensation to describe. I quite literally feel like a switch flipped and overnight I went from dark depression to elation (which, in itself, is a dangerous shift, since extremes can swing both directions). My goal is to get onto and stay with my diet and exercise, and to work diligently to find the positives in life. And, to quote Dylan Thomas, I hope to rage against the dying of the light... to push forward toward those positives that make my life good, and try to steer clear of those things that detract from that goal.

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

"Do not go gentle into that good night"

Dylan Thomas, 1914 - 1953

Job Opportunity: Secure Mentem

Hey folks! Secure Mentem is hiring! If you have any interest in working in a top-notch org doing security awareness as a service, then this is it! Details below:

Secure Mentem is looking for skilled security awareness practitioners to help serve our growing customer base from the Fortune 500 and beyond. The people will be expected to implement our patent-pending methodology of creating awareness programs, and providing the required level of support in implementing and maintaining the resulting programs.
You will use our proprietary assessment tools to determine the organizational culture and business driver, and then working with our team, design the customized program. Should there be a security awareness manager (SAM) in place, you will work to make that person look brilliant. If there is no SAM, then you will provide the defined level of support to help implement and maintain the program. You may also be called on to help clients with independent awareness efforts such as program design, implementation, internationalization, metrics, phishing program implementation, creating and/or staffing events, social engineering, content development, and other tasks associated with security awareness programs. Experience in multiple organizations and multiple industry sectors preferred.
Secure Mentem focuses on the human aspects of security. We pride ourselves on providing comprehensive security awareness solutions that are tailored to our clients' culture and the organization.
To apply, please send your resume, with a cover letter, to Samantha@securementem.com.

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Recent Comments

  • Danniel: SANS Top 20 controls are not controls. Its like a read more
  • Ben: I hope that it's not so dire. I think there read more
  • Tunde: The question at the back of mind now is: How read more
  • Dan Raywood: I met you at the Barracuda party, introduced myself with read more
  • Ben: Hi Jack, Thanks for the comment. I've read the context read more
  • Jack Whitsitt: Ben - while you're correct in almost all of your read more
  • Ben: Hi Amith, This review is now near 4 years old. read more
  • Amith Sarma: Hi Ben, A very valuable feedback on the book. Thanks. read more
  • Ben: Hmmm, thanks for catching that, Rob! I was going off read more
  • Robert David Graham: Minor correction: Dell was founded in 1984, not 1994. read more


Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10