Leaving Gartner, Joining K12

Today, Friday the 13th, is my last day with Gartner. I've been onboard for almost exactly 21 months now and have learned quite a few things about how the analyst world works. But... it's time for a change. It's time to get back to more of a field role where I can feel like I'm making a difference, seeing the needle move little by little. This is something you don't typically get to see as an analyst because, out of the hundreds of interactions you have each year, /maybe/ 10% result in some form of feedback, and only a small portion of that feedback is particularly meaningful.

On Monday I start my new role as security architect with a local, public company - K12. They're a leading provider of online education services, which I find interesting and exciting. In many ways, this will be a green field opportunity for me, working as part of an enterprise architecture (EA) team as they pivot into more of a DevOps style approach. More than anything I'm greatly looking forward to getting back to more hands-on work where I can see the fruits of my labors.

I'll be reviving this blog in the coming weeks as I start to get my feet wet with various projects. I'll also be putting up a couple retrospective posts about my time as an analyst. I've received a handful of queries from folks interested in working for the company, and so one of these posts will specifically target that audience.

Overall, I'm very much looking forward to the new opportunity! I can't wait to see how well my theories play in the real world. There are lots of exciting options to be pursued here, ranging from security analytics to risk analytics to SecDevOps automation. :) Now to see what sticks and what doesn't!! :)

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: Recent GTP Security Research

From November 2014...

Before resuming delving into any philosophical meanderings about infosec or info risk mgmt, I wanted to first highlight some recent research for you all. All of the following require a GTP subscription (go here to contact us if you're interested in getting access).

Continue reading here...

GBN: Updating GTP's DLP Coverage

From November 2014...

It's been a couple years since the last update of our DLP coverage. In the process of updating it this go-round, I'll be taking the reins from Anton Chuvakin and picking up primary coverage of DLP for the SRMS team. In addition to revising the existing documents (Enterprise Content-Aware DLP Solution Comparison and Select Vendor Profiles and Enterprise Content-Aware DLP Architecture and Operational Practices - GTP subscription required), we'll also be spinning off a foundational document that can be referenced when getting started with a project.

Continue reading here...

On Depression and Burnout...

Preface: Screw the taboo, I'm gonna talk about this! Rarely, if ever, are we able to talk about "uncomfortable" topics like depression, but they're real, they're serious, and I would wager that if we would just talk about these things a little bit, then others who are going through (or have gone through) similar experiences might find some comfort.

There are few things that feel so good as returning to a normal life of happiness after suffering through a bout of depression. Thankfully, for me, such things are a rare occurrence, but I know that for some it's an ongoing struggle. The last time (prior to this Summer) that I dealt with depression was 2002 when I moved across country from Montana to Harrisburg, PA, leaving my wife behind because we couldn't afford to make a full move, seeing her once in ~5 months. Back then, it might have been the loneliness, the constant state of being broke, or maybe just general diet and exercise issues (or a combination of them all), but it was my first time dealing with depression, and it wasn't really until some months after emerging from that dark state that I even realized what it was I'd been going through.

This Summer marked a return to that dark place, and lemme tell ya, it was not enjoyable. Thank goodness for a tolerant and understanding wife and a handful of amazing friends who didn't give up on me and helped me find the light at the end of the tunnel. I don't know what it was that put me into the funk. I had returned home from 4 weeks on the road, 2 of which being spent on vacation with the family. I came back to an empty house, having left the wife+kids behind in Minnesota to visit with the extended family. I was absolutely dreading the 2nd week of that 2-wk period because I knew I wasn't going to be able to keep myself busy. I digress...

As I said, it's unclear what the trigger was... Was it the prospect of loneliness? Was it exhaustion from all the travel? Was it exhaustion as I recovered from pneumonia (diagnosed in late June)? Was it a result of no exercise and a complete breakdown in my diet? Was it work stress? Was it something else altogether? I'll never know for certain, but what I do know is this: It sucked, it was miserable, and it happens to more people than you might realize.

For those who don't perhaps know me all that well, I'm an extrovert. I thrive off being around people. I need socialization for my energy. I also try very hard to be a nice guy. I like joking with people, teasing people, and just generally trying to be fun and funny. While I'm not obsessed with being liked by everyone, I am cognizant of the emotional aura people project toward me, and - depending on the day - that may influence me one way or the other in terms of general happiness.

The point here, though, is that I'm not naturally a frump (despite what some might think after pointed email exchanges). I'm generally full of energy and try to push forward through concerns, challenges, etc, etc, etc. So, when I fell into the pit of despair, suffice to say that it swallowed me whole and threatened to keep me forever.

If you've not dealt with depression, then here's an idea of what it's like:

  • You have no energy whatsoever. Even the most minor/trivial of tasks (including eating and sleeping!) are exhausting and often seem insurmountable. Getting out of bed is nearly impossible. You want to sleep all the time. Yet, contrary to this feeling, you can't sleep, or at least your sleep is incredibly uneasy and non-restful/non-recuperating.

  • Everything is shit. If you've heard the phrase "viewing life through rose colored glasses," then shift that to being "through black-death-tinted glasses." All the positives in life? Gone/forgotten. Ever had fun? Can't recall. The job? It sucks. Life? It sucks. Friends? Meh. Family? Meh. You believe, truly and deeply, that your life has been a waste, that you're just taking up space+resources on this planet, and you just don't think you belong anywhere. (If you're not seeing where this line of thinking potentially goes, then you're not trying hard enough.)

  • Everything is a failure. Related to the last point, but noteworthy... nothing you do is good/successful/worthwhile. Reaching out to friends? Fail. At best, they tolerate you, and at worst they hate you. Trying to relate to family? You're misunderstood and unloved. Trying to do your job? You suck and are on the verge of being fired. Note that this all applies to perceptions and not to reality. Perception is so much more important and powerful than reality... as we see time and time again with depression, politics, and mass marketing...

The key points to all of this is that the harsh, dark feelings are very, very, very real to the person experiencing them, no matter what reality may actually be. And, no matter what you (as friend or family) say, there's really no changing these feelings, which can be /incredibly/ frustrating for friends and family. For more on what it's like being depressed, see this excellent article on Huffington Post, "9 Things Only People With Depression Can Truly Understand," which perfectly captures some of the feelings and challenges associated with depression.

Soooo... how did I finally snap out of it? Honestly, I don't know for certain, but I have a few ideas...

  • First and foremost, my wife and close friends continued to provide support throughout the episode without deriding me.

  • Second, I got my diet and exercise back on track (this was hugely important with the 2002 episode as well).

  • Third, work-related stress abated (a little bit, anyway). In part, this came from a former manager telling me "Ben, you're a good analyst." Just being told this phrase (backed by performance numbers) did a world of good as up to this point I'd felt like I was failing completely. I also finally broke-through on a project that had been plaguing me the entire time, though the breakthrough could arguably be linked to my recovery, too.

  • Fourth, better quality sleep returned. I think this relates significantly to diet and exercise.

  • Fifth, my T levels bounced back dramatically (see this article about the impact of low T in men, often contributing to depression). This may seem like a trivial thing, but it plays heavily into energy levels, at least for men.

Breaking free from the funk is a wonderful feeling. Sure, it hasn't been all sunshine and puppy dogs since the initially breakthrough, but for the most part things have been fine. There are still down days, and I feel very vulnerable to getting tipped back into the pit of despair (as nearly happened on Sunday/Monday after receiving a rude email at work). But, for the most part... things are better.

It's really a hard sensation to describe. I quite literally feel like a switch flipped and overnight I went from dark depression to elation (which, in itself, is a dangerous shift, since extremes can swing both directions). My goal is to get onto and stay with my diet and exercise, and to work diligently to find the positives in life. And, to quote Dylan Thomas, I hope to rage against the dying of the light... to push forward toward those positives that make my life good, and try to steer clear of those things that detract from that goal.

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

"Do not go gentle into that good night"

Dylan Thomas, 1914 - 1953

Job Opportunity: Secure Mentem

Hey folks! Secure Mentem is hiring! If you have any interest in working in a top-notch org doing security awareness as a service, then this is it! Details below:

Secure Mentem is looking for skilled security awareness practitioners to help serve our growing customer base from the Fortune 500 and beyond. The people will be expected to implement our patent-pending methodology of creating awareness programs, and providing the required level of support in implementing and maintaining the resulting programs.
You will use our proprietary assessment tools to determine the organizational culture and business driver, and then working with our team, design the customized program. Should there be a security awareness manager (SAM) in place, you will work to make that person look brilliant. If there is no SAM, then you will provide the defined level of support to help implement and maintain the program. You may also be called on to help clients with independent awareness efforts such as program design, implementation, internationalization, metrics, phishing program implementation, creating and/or staffing events, social engineering, content development, and other tasks associated with security awareness programs. Experience in multiple organizations and multiple industry sectors preferred.
Secure Mentem focuses on the human aspects of security. We pride ourselves on providing comprehensive security awareness solutions that are tailored to our clients' culture and the organization.
To apply, please send your resume, with a cover letter, to Samantha@securementem.com.
Things That Aren't Risk Assessments
In my ongoing battle against the misuse of the term "risk," I wanted to spend a little time here pontificating on various activities that ARE NOT "risk assessments." We all too often hear just about every scan or questionnaire described as a "risk assessment," and yet when you get down to it, they're not.

Continue reading here...

A few highlights of new research...

New Research: Security in a DevOps World
Hot off the presses, new research from Sean Kenefick and me titled "Security in a DevOps World," which is available to Gartner for Tech Professionals subscribers at www.gartner.com/document/2725217.

Continue reading here...

My Other Pages

Support Me

Support EFF

Bloggers' Rights at EFF

Recent Comments

  • Danniel: SANS Top 20 controls are not controls. Its like a read more
  • Ben: I hope that it's not so dire. I think there read more
  • Tunde: The question at the back of mind now is: How read more
  • Dan Raywood: I met you at the Barracuda party, introduced myself with read more
  • Ben: Hi Jack, Thanks for the comment. I've read the context read more
  • Jack Whitsitt: Ben - while you're correct in almost all of your read more
  • Ben: Hi Amith, This review is now near 4 years old. read more
  • Amith Sarma: Hi Ben, A very valuable feedback on the book. Thanks. read more
  • Ben: Hmmm, thanks for catching that, Rob! I was going off read more
  • Robert David Graham: Minor correction: Dell was founded in 1984, not 1994. read more
Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10