I once heard a friend describe big business or enterprise organisations as a big wheel that just keeps on turning. When you work within one of these large companies, she said, you only have two choices: 1. Voice your opinion, which is analogous to hurling yourself in front of the big turning wheel as it slowly crushes you; or 2. Go with the flow, which is analogous to stepping aside and letting the mammoth wheel pass you by unharmed. This little gem still rings true and has never let me down

This post is specifically dedicated to all those who after spending many years within large companies and trying best to either kill the beast, conquer the beast, serve the beast, avoid the beast, confront the beast, or simply to find the beast and have always failed.

Today is your lucky day my friend, for today the beast shall be unmasked – Note that I am not talking about the business that occurs within an organisation, I am referring to that eerie feeling you get upon waking on Monday mornings knowing you face another long 5 day slug-a-thon at the office – The beast is the cause of this existential dread.

Also, this post about applying the above gem of knowledge appropriately so you don’t swing to far into indifference which leads to sloth, torpor and for the passive aggressive, repressed resentment.

You see, unfortunately for me (in the past), I viewed the beast of an organisation as some sort of system – It is most likely due to my computer science and information systems university background – Once you program in a language for a period of time, you begin to take this on as your world view and see the outside world as one’s and zero’s with variables and constants, etc. In the same sense, if you speak with a Buddhist monk, they may view the world as relatively dualistic with a pinch of infinity to create the world of maya.

Anyways, the point is, systems can be manipulated, they can be probed and with enough time and smarts hacked to ones advantage. But the beast of an organisation is an enigma  and is so well hidden it’s similar to a theologian trying to find God. Just when he thinks he has the case cracked, his thesis is splashed with an antithesis until someone comes along to find the synthesis. Unfortunately for them, the synthesis is just another name for a thesis and so the journey for God continues ad infinitum.

Arrggghhhh!!! I hear you say…If only I knew where this beast’s abode was, I would visit during the wee hours and slay him in his or possibly her bed. But alas, for this beast has no home, no sex and is beyond all your thoughts or scarier still is he, she, it behind them?

But before we get too carried away and either become paranoid or give up the ghost, I want to take you back to my mistake. I mistook the beast for a system, but in reality, the beast is not a system. So if it is not a system then what is it I hear you ask? If so, stupid questions will only result in stupid answers…

A better question would be why the beast?

Asking why is a great (and necessary) tool for finding the root cause of any situation. It is the best and possibly only tool for finding the unequivocal crux of the matter in a timely fashion.

To the best of my knowledge, why the beast appears to exist is to stem from a manifestation of evil peoples opinions. I specifically use the word evil here because evil begets evil and good begets good. They are, always were, and always will be mutually exclusive. So yes, it is right in saying evil minds produce evil opinions (which originate from evil hearts).

Note that we are no longer in the world of tangibles. We have crossed over from something we may have initially thought was tangible (i.e., we wanted to stick a knife in it) and are now in the realm of the intangible. In this realm, things can easily become confusing as this realm has different set of laws. That’s why metaphors really help in getting the message across, so here it goes…

Upon awaking one day, a man notices that it’s an overcast day. He hates gloomy days because they make him feel gloomy too. This morning is different for the man because he has decided to take this matter up with the shiny pie in the sky. Today is his day to wrestle with the sun.

There is no point going any further with this story as we know it is absurd and the man is an idiot. Not only for letting the weather dictate his mood, but the idea that wrestling with the sun could change the atmosphere.

You see, people who try and do blah to the beast are just like the man who tried to wrestle the sun. Whatever is the case, the atmosphere just is what it is. And if you haven’t figured it out yet, the atmosphere is the beast. It is the mood which is created by ignorant peoples opinions. Their egoistic attitudes are directly in conflict with your egoistic attitude causing that grating feeling of angst also known as disharmony. This disharmony is the cause of your routined morning existential angst resulting in you chasing a mirage. You see, the beast does not truly exist . It is a figment of your egotistic mind’s creation. Please note, it’s there, but whatever is created must also end, and as such, the beast can end too.

So now going back to the wheel analogy at the beginning of this post, I would like to reinvent the view of the wheel and add some specificity as an addendum to close out this post…

If you are not the General Manager or CEO, my advice is to take option 2 every time. Please remember that when recruiters call and offer great jobs that appear greener, remember to remember that the wheel is a pandemic – it is a monist pantheistic wheel – It’s an epidemic of disproportionate scales where you can never escape (as long as you work with other ignorant people). So once again, although you know yourself and what you feel to be right, know it, but go with the flow.

If you are a General Manager or CEO, my advice is that actions speak louder than words. Just as the Government would drop a bomp to clean up a breakout of an infectious disease that has gotten out of control, so too, you must step up and root out all the individuals affected with this disease. Bringing on new and fresh people prior to the extermination will only infect your new help, so if they are brought on early, ensure they are appropriately quarantined. Anything less than this, simply does not work.

Today’s post is an attempt to coin a new psychological response, that is often seen within Enterprises, specifically the Information Security Zealot – It is meant to be taken light heartedly, but with a serious lesson to take away at the end – So without further ado, if you currently display the following conditioned responses you are hereby classified as an individual suffering from Information Security Syndrome…

- You are incapable of mingling outside the security clique due to the obvious fact everyone on the outside is suffering from some form of security “ignorance”. As such, they [the non-security personnel] would be incapable of understanding the intricacies of your stealthy security work, and any attempt to explain your “advanced” job would be futile. Simply by applying the thin slicing techniques you mastered from your security ways [also cannot be discussed], you have perfected the art in knowing that they will never understand the true essence of what you do.

- At social events you have been dragged along to by your partner, outsiders keep telling you information about themselves they shouldn’t. You know it wouldn’t be elite of you if you were to use this information against them, so you politely inform them about phishing exploits, facebook worms, social engineering and the like. Oh no, you’ve again performed another security faux pas and are trapped talking to these newbies about security 101, like patching your system and firewalls [oh, so 2001].

- You are certain that everyone else has somehow gotten it wrong and every day is an amazing feat to wake up and discover the world hasn’t ended in a cyberwar that is imminently about to happen. Thank God for hackers publishing unpatched exploits to make the world a safer place and annual retreats to Black Hat and Defcon to lift your spirits.

- Life and work are not about reducing risks to an acceptable level, it’s about eliminating all vulnerabilities and tinkling with the latest bleeding edge coolest tools if possible.

- If your job were a metaphor, other people would describe you as a stage gate or an angry police officer best left alone. You know deep down you are fighting the good fight and tough guys don’t cry.

- At every security conference, everyone so gets you and you so get them. There is an unbelievable amount of head nodding going on, you’re amazed they simply don’t fall off.

- In the office you are forever getting pumbled by the ever increasing sea of threats and yet nobody sees or understands quite what you are talking about. There is an unbelievable amount of head shaking going on, you’re amazed they simply don’t fall off.

- You make abusive calls to people who have spyware, malware, viruses on their laptop and who so foolishly jacked into your LAN [Note, not the corporate LAN as you now are the official caretaker - self appointed]. You request they immediately remove the laptop from the network and hang up without any further support – After all, you’re a secret crime fighter and have other fires to fight – To the bat cave.

- You know very well that the most efficient solution to reducing phishing is to call CERT and have them immediately bring down the hacked site. But if you went and did that, how would you ever get a chance to try out the latest phishing kits or reverse engineer code and show how cool and smart you are. Your quest for knowledge and cyberdome wisdom far out ways the common persons problems.

- You can make moral choices on other peoples behalf because you are security demi-god.

—–
OK, OK, that’s enough of my attempts at humor to belittle and poke fun at the ever hilarious security zealot. I hope the above didn’t upset anybody, but at least calls out some home truths about when good intentions don’t result in good outcomes…

—
One issue that came to mind when writing this and that I also find extremely interesting, is the current disconnect between security and the rest of the population (i.e., real world). Reading any recent security whitepaper or report, visiting security blogs, or attending any recent security conference only reiterates that the state of cybercrime is alarming. So why is it that [in a proportion of cases], only the security zealot cares?

Why isn’t this information concerning ever new emerging threats and constantly changing risks being communicated to the people it impacts and who are also in charge of the purse strings and can do something about it [CEO, CFO, CIO, COO, etc]?

In order to answer this question, I am going to turn it around on you. It is up to you to honestly look firstly at yourself and then your team. Have you the right information in the right format for your audience? Have you the right personality and right attitude for your audience?

As a recommendation in resolving this pandemic, raising the issue to be discussed by an appropriate representative, such as the CISO, at a board level would be worthwhile if you had the above boxes ticked off.

Good luck!

Recently I have been contemplating what makes some people successful and others unsuccessful. I am not merely talking about a person’s position within an organisation – If I were, then this would be a very shallow definition of success – After all, if it were merely wealth, position or honours, then success is based only on our external world and this would be purely superficial. If you do not agree with this statement then think about the following examples:

·          An individual is hired within a large company three tiers from the top in a well-respected position. Leveraging psychological testing, previous employment and the interview, the person is now known as passive and is clearly inexperienced to fulfil the role. They get hired because the person who hired them, their boss, intentionally chose this person, as they want to remain unaccountable. The boss is content on leaving the company running as is until their retirement, and especially on the executive pay packet they are receiving. They also need a fall guy too remain in such a cushy position if things ever went pear shaped prior to their planned ejection.

·          An individual finally becomes appointed an executive manager of a company at the expense of friends and family. They materially achieve everything above and beyond what they set out to acquire, but they are left feeling alienated with a greater sense of void within when not stressed at wits end.

Would you consider the above people successful? The first initially thinks they are successful, but soon realises they are in too deep and cannot control their surroundings – The job title no long matters when they realise they are just a pawn - The other reaches their potential at the cost of quality of life.

Obviously the above examples are missing something fundamental to be good examples of success. Looking closely at it, each exemplifies the success of something external – either the company or an external party - but where is the success for the individual. Taking these examples more personally, this post is about asking the question of what makes you a success?

Read the rest of this entry »

Reviewing a number of blogs, articles, etc., I noticed that there are a number of people in the security field who move from being skeptical, and at times cross over into being just plain cynical. I have also seen a post on slashdot where someone asked, “Are IT Security professionals less happy as there job teaches them to focus on the negative side of life?”. See http://ask.slashdot.org/askslashdot/08/08/24/1731228.shtml

This post is about addressing these issues, but could be expanded so as to be used for many more life situations, instead of IT Security. But of course, that choice is up to you…

In order to understand where the people above have gone off track, we need to have a clear(er) understanding of what a person is made up of (i.e., mind and body). I am of the understanding that the ancient and modern arts, sciences, religions, etc address enough about the mind body system to help people. The only constant is some people get it, the above ones have not, and this is not a rarity. Not surprising considering the pluralistic society in which we live in.

It’s not necessarily anybody’s fault – I don’t think we should see it in the light of right and wrong here – but just accept that we as humans are accountable for our own actions and deciding between being positive skepticism or negative cynicism is a choice, much like choosing to walk in the sun or walk in the shade. Other articles may discuss art, science experiments, religious beliefs, etc., but this article is about going straight to the source of the problem. You.

If you do not believe you are accountable for your own actions, or where you are in your life today, then you’re living in a delusional world. This post will mean nothing to you so you should probably just not bother reading beyond this point. If you agree you are accountable for your own actions, if you want to be alert and positive because you are aware the householder does not know at what hour the burglar will come then you should read on.

You may think that if it’s as easy as choosing to be positive instead of negative then I’ll just choose to be positive. People can say this and some just do it, but others end up going back to their old ways. Others who have been negative for a long period would most likely find it difficult to change their ways immediately and could employ a defense mechanism and say things like, it’s got nothing to do with me, or that just stupid, I know what I am doing, case closed. 

Now is the point where I have to call out that the following is going to get a little deep. The difference, I hope is that I do not want to be esoteric, so no haiku or parable. This is what I perceive to be simple logical steps that got me to this point. I am not pushing any “new age” idea, religion, because as I have said previously, the answers have already been provided in different formats. I just want to make it plain to you and put it in simple terms what I believe is known by many names such as “mind-body coordination”, “mind-body alignment”, etc., but are most likely all the same thing. When you read the below you could categorise parts as buddhist meditation, zen, taoism or say no that’s ki, chi or qi fundamentals. Preferably if you are going to make any judgement then call it psychology.  

At this junction, I think it is best if I just get to the point and give you the answer (as best as I understand it to be). As they say, a picture is worth a thousand words…

From the diagram, in short, mind moves the body. The mind (conscious/subconscious) directs intention, that guides your action, this leads to a bodily response that is interpreted by bodily senses, which the mind (conscious/subconscious) mind is aware of. 

As an easy example, let’s grab the coffee cup on the table. The mind says “grab the cup on the table”, the intention is generated by mind force guiding the arm to “grab the cup on the table”. Note that this is all non-physical or spiritual to this point. The arm reaches out and grabs the cup. The eyes see the cup has been grabbed and the fingers feel the cup in the hand and they relay this to the nervous system. Note that this section is physical to this point. Awareness of what just occurred is back in the non-physical realm.

If only life were so easy? I guess to name a few problems that occur in our daily lives just to illustrate why life can be complicated is in order. See how many you do…

1.  Instead of the mind generating an intention, the mind generates images known as your imagination. Freud would have called this Cathartic Energy. It occurs when your id or instinctual mind drives the idea like punching someone who has just made you angry, but your morals tell you otherwise. The energy has already been generated so must pass somewhere. As the super ego has blocked the intent, you instead imagine giving the guy one of your best beatings (using a Freudian world view).
2. The mind generates an intention but it is not a clear intention. As such, the body is guided down a different path than what was initially intended. Have you ever said to someone you love, “look, I know what I did, but that wasn’t my intention?”.
3. The mind generates a clear intention but you have bodily problems/limitations where you cannot physically achieve the desired response. Most people who dabble in sports would understand and relate to this one. That is, cannot drive like Tiger Woods or dunk like Michael Jordan.
4. The mind generates a clear intention but there is nerve damage and the response is misinterpreted and/or not interpreted at all by the body.

You may have noticed that each of the above points is a breakdown in the arrows within the diagram. From this point forward I will be focusing on point 2. If you can achieve point 2 then point 1 will eventually dissipate to occurring only rarely. Points 3 and 4 are physical issues that require either more training, acceptance of your genetic makeup or specialised medical assistance which I cannot help you with.

If you have made it this far, thank you. You are about to get to the interesting part so let’s begin with a question. If your mind has a desired intention, but after executing the action your awareness tells you something different from the original intention then which one is telling you the truth? Your Mind or your Awareness? Don’t cheat! Think about it…

For those who said Awareness, give yourselves a pat on the back. Not too much of a slap as you are only half right. The other half of the story is although awareness is more truthful than the mind, it is only a relative truth. To find the absolute truth is beyond the realm of this post as I am keeping the post only in the epistemological realm. 

For those who said Mind, I am sorry to say that your ego is lying to you. It wasn’t the bodies fault as it is guided by your intention. It wasn’t your intentions fault as it is generated by the mind. That’s right, that shadow lurking in the corner is your ego and she is a tricky little minx.

So what’s this got to do with “mind-body coordination” I hear you ask? Well, if you can align your mind, intention, body in order to achieve the desired action (as interpreted by your awareness), then you have achieved mind-body coordination/alignment. I do prefer this type of terminology as no-mind appears to me as a misnomer and/or misleading – It would be better to say ‘little idea’ with everything else empty (i.e., non cluttered mind).

So how would someone apply this in their daily life so as to remain positive (healthy skepticism) instead of negative (self centered cynicism)? My advice is to keep it simple. Ask yourself regularly, how am I feeling right now at this point in time. If you feel good and relaxed you’re on the right track. If not, it’s your mind that’s off track, so try again. Remember to keep saying to yourself there is always a better way. And when making decisions, don’t use your head, remember to ask yourself what does your gut tell you. Make sure to act on it and stop day dreaming. 

If you would like to take this further or improve honing your skill set, my suggestion is that you get yourself involved in something you enjoy doing and practice the above. I personally use the above in my martial arts training as I am involved in an intentional martial arts (i.e., internal/soft). I have found that on this path of discovery (which is still going), these things I learn in class spill out to my daily life. They make me a better person and hopefully it can do the same for you. Maybe you can discover like me how mind-body coordination just naturally results in selfless altruistic behaviour. Of course, as I am at a junior level, my ego trips me up every now and then more than I would like, but at least now I have the right tools to get back on the right path.  

Now, referring back to the SlashDot article listed above. Here is where the author is off track…

“(His job) constantly teaches him to focus on the negative side of life” – No, being negative or positive is a choice. By placing the fact you have chosen to be negative on your job (even if 99.9% of the population may do it) is a cop out. It is the mind projecting its negative intent onto an object. The object in this case being your job.

“As an auditor I search for errors that others have made and haughtily tell them” – Being haughty is a form of pride. Need I remind anyone of the seven deadly sins. Again, if you are choosing to be selfish instead of selfless, this is, at its basic layer choosing to be negative instead of positive.

“As a penetration tester I break systems that system engineers and administrators have laboriously built” – If the system admin was that laborious then I guess you wouldn’t really have broken in without some social engineering tactics. If you did, why would you be negative about this? You possibly found a new 0-day and could earn some extra money or help vendors code better systems by reporting it.

“I assume inside threats and have to be professionally suspicious.” – Really? Where is it written that we have to be professionally suspicious? If it’s on a security card somewhere, cool, where can I order one? I would say that it would be better to be cautious rather than distrustful. Wouldn’t you agree that as a security professional it is better to be on your guard?

“The security mindset surely helps me in my job” – Agree, me too.

“but is it good for me on the long run?” – In a 100 years when you are dead and buried what is it going to matter? Stop being so precious about yourself.

“What kind of influence has being an IT security professional had on your general attitude towards life?” – Me personally, I am stronger for it. You, I am not so sure about.

“What helps you stay out of pessimism and cynicism?” – Making the conscious choice of choosing to think and do positive things. Stop blaming everything else around you and begin by asking yourself what you maybe doing wrong.

“Is protecting existing things really as good as building new ones?” - All depends on what you are protecting and also what you are building.

“I always have to think about risks and identify all sorts of things that could go wrong.”  - That’s your job. There is no reason to be negative about it as it’s actually a pretty cool thing to get paid for.

I apologise in advance to the author of the Slashdot article if he takes offense to what I have written. But honestly, the truth hurts (when you are in the wrong), but you were the one who asked for a response. My advice is that if you are suffering in your current situation then you are thinking the wrong way. Changing your employer or your vocation won’t help you as this will not solve the core of the problem. You asked for help and if you understand what I am talking about in this post then the smartest thing you can do is laugh it off.

Note: Any “positive” comments on the above would be much appreciated as there could possibly be more arrows or more boxes in the above diagram, something that is incorrect, or requires further clarification…

Note: In the second paragraph, the person could be made up of more than mind-body, such as heart, soul, spirit, etc., but that is outside the scope of the above topic. Please keep all comments within the epistemological realm.