Leaving the Comfort Zone

travel destinations

Jumping out of one’s comfort zone

Early in my career, I had seemingly regular opportunities to learn new skills and technologies. It was interesting, for sure, and sometimes challenging, but rarely in ways that I would consider the least bit scary or risky.  It was just plain fun.

Several years into my career, I found that my learning curve was steepening. I was apparently seen to have some good skills, and the small company that employed me seemed fit to thrust me into new situations with little supervision. This included teaching computing classes to county commissioners, being responsible for obtaining computers half a world away for international conferences (in the 1980s this was no mean feat), being asked to attend client executive business meetings to explain the software that my company had provided – or explaining yesterday’s outage.

Then came public speaking. My first real speaking gig was in 1988 where a colleague and I were presenting to a large audience. Before PowerPoint, producing slides for a presentation was difficult. You PowerPoint weanies have it way too easy.

That first speaking gig was a disaster. A real train wreck. I was beyond nervous. I’m sure it showed. But at least I knew it was a clear fail. And I was determined to not let that happen again.

As luck would have it, just weeks later a friend of mine mentioned his local Toastmasters club. I had heard of Toastmasters, and feeling the sting of my recent public speaking failure, I jumped at the chance.

The next year at Toastmasters was hard work. I had terrible bad habits and no good ones. My club consisted of really seasoned speakers, including local city officials and business owners. Really senior guys. Safe and friendly. But full of criticism, of the constructive kind.

I was nervous in all of my Toastmaster speeches. I was really terrible but desperately wanted to improve. I had a glimpse of my career’s future where I would be speaking before audiences again, but I was determined to never fail like that again.

A few short years later, I was asked to teach Unix concepts and skills to co-workers in semi formal classroom settings. I prepared and was less nervous. I did okay.

A few years after that, I was invited to speak at a global user conference on the business benefits of some software products. I did this two years in a row, and even recorded promotional testimonial videos for the company. I’m not sure whether they were ever used, though.

A couple of years later, opportunities to speak at conferences began. First it was once a year, then twice a year. These were great learning opportunities. Generally I did well, and slowly accumulated experience and added skills. I felt like I was going places. Not big places, but places nonetheless.

Last year I had the opportunity to keynote a regional security conference. I had the freedom to select my speaking topic, at least. But this was the first time I was formally introduced to a big stage before hundreds. Moreover, this was in my city, where probably half the audience knew me by first name.

No pressure.

Riiiight.

My animation acted up a bit, but I delivered.

FullSizeRender.jpgEight weeks later, I had another keynote opportunity to an even larger audience, around 800. Yes I was nervous. But I delivered fairly well. This was the first time I had “comfort monitors” (the big monitors down in front that I could look at, as opposed to turning around to look at the big screens behind me.

Wait, isn’t this supposed to be about my comfort zone?  Well yes, it has been all along.

Virtually all of my speaking gigs take me out of my comfort zone. Some, a little; others, quite a bit.

Two weeks ago, my boss’s boss called me up and asked if I would be interested in a speaking gig in Ottawa.  I told him, sure, sign me up.

Then we hung up. And I thought about it. And I realized, I don’t even know what I’ll be speaking about, to whom, or in what context. That was okay.

Yes it was okay.  Given the perspective of many years now, I realize that I thrive at the very edge, and often beyond, the boundaries of my comfort zone.

Public speaking is not the only context where I do this. In fact, every day when I’m asked to talk with a client, partner, or colleague, I almost never know what the conversation is going to be about. I might be praised in one conversation, bitched out in another, and asked my opinion in another.

So what am I getting at here?  Please be patient, I’m getting to it. This is not a rehearsed piece, but written stream of consciousness, much like an impromtu talk. Other than mis-spellings in mid-sentence, I’m not editing this.  These are my thoughts. Peter H Gregory unplugged.

For me this has been a great ride, the past few decades. I never know what’s around the corner. And that’s okay.

Those who know me know that I talk in metaphors a lot. Maybe too much. I liken my public speaking to bungee jumping. A few moments of terror, but what a ride. Only in my case, the chances of imminent death are remote. Embarrassment, or humiliation with no way out?  Absolutely. In any of my talks, whether keynote, small session, executive briefing, or a university class, I could blow it at any time and be a bufoon or worse.

It hasn’t happened since that first conference, many many years ago.

And it keeps happening. Today at 3:30pm I found out that I to give an executive briefing to a group of colleagues I’ve never met in person, tomorrow morning. Do I know exactly what I’m going to be talking about?  Somewhat.  Am I nervous?  Yes, somewhat.  Will it be okay?  Probably.

In high tech, if you want to grow, you’ve got to live on the edge of your comfort zone. Or near the edge anyway. Close enough so that you can see over the edge and see what potential failure looks like. Or gaze upward toward the brilliant blue sky and see what potential success looks like.

It’s worth it.

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.

Will 2016 Be The Year Of The Board?

This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.

It’s about time.

Really, though, this makes sense.  Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.

Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.

The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.

Neat Receipts Has Forgotten (or never knew) How to Earn Customer Loyalty

I’ve been a happy user of Neat Receipts for years, having purchased one of their portable scanners. It has worked pretty much  trouble free on PCs and Macs since I purchased it. But that was all about to change.

I upgraded my Mac to El Capitan a couple of months ago, and today needed to scan some diagrams that I’ll be using in an upcoming book. The Neat software did not recognize the scanner, so I went through the usual troubleshooting, including special steps on the Neat website for El Capitan users. Still, no luck.

Neat

I went to Neat’s customer support page, and found that their chat function was working (today is Saturday). I discussed the matter with the support rep, who asked me for the model of my scanner (it’s NR-030108). The rep told me that this model was no longer supported and would not work any longer. Oh great.  I asked whether there was any kind of a trade-in allowance, and he answered that there was not.

So, Neat has obsoleted my scanner.  I can get over it – it’s a part of the regular improvements in information technology. I get that. But, Neat is offering nothing in order to keep me as a customer.  There is nothing keeping me from considering other good products such as Fujitsu ScanSnap S1100i, for instance. In fact the Fujitsu is a little less expensive, it works with Mac, does everything I need, and has a slew of good online reviews.

Apparently Neat is going to just let me walk.

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

tacoma-narrows

IT Lacks Engineering Discipline and Rigor

Every week we read the news about new, spectacular security breaches. This has been going on for years, and sometimes I wonder if there are any organizations left that have not been breached.

Why are breaches occurring at such a clip? Through decades of experience in IT and data security, I believe I have at least a part of the answer. But first, I want to shift our focus to a different discipline, that of civil engineering.

Civil engineers design and build bridges, buildings, tunnels, and dams, as well as many other things. Civil engineers who design these and other structures have college degrees, and they have a license called a Professional Engineer. In their design work, they carefully examine every component and calculate the forces that will act upon it, and size it accordingly to withstand expected forces, with a generous margin for error, to cover unexpected circumstances. Their designs undergo reviews before their plans can be called complete.  Inspectors carefully examine and approve plans, and they examine every phase of site preparation and construction. The finished product is inspected before it may be used.  Any defects found along the way, from drawings to final inspection, results in a halt in the project and changes in design or implementation.  The result: remarkably reliable and long-lasting structures that, when maintained properly, provide decades of dependable use. This practice has been in use for a century or two and has held up under scrutiny. We rarely hear of failures of bridges, dams, and so on, because the system of qualifying and licensing designers and builders, as well as design and construction inspections works. It’s about quality and reliability, and it shows.

Information technology is not anything like civil engineering. Very few organizations employ formal design with design review, nor inspections of components as development of networks, systems, and applications. The result: systems that lack proper functionality, resilience, and security. I will explore this further.

When organizations embark to implement new IT systems – whether networks, operating systems, database management systems, or applications – they do so with little formality of design, and rarely with any level of design or implementation review.  The result is “brittle” IT systems that barely work. In over thirty years of IT, this is the norm that I have observed in over a dozen organizations in several industries, including banking and financial services.

In case you think I’m pontificating from my ivory tower, I’m among the guilty here. Most of my IT career has been in organizations with some ITIL processes like change management, but utterly lacking in the level of engineering rigor seen in civil engineering and other engineering disciplines.  Is it any wonder, then, when we hear news of IT project failures and breaches?

Some of you will argue that IT does not require the same level of discipline as civil or aeronautical engineering, mostly because lives are not directly on the line as they are with bridges and airplanes. Fine. But, be prepared to accept losses in productivity due to code defects and unscheduled downtime, and security breaches. If security and reliability are not a part of the design, then the resulting product will be secure and reliable by accident, but not purposely.

So Long, Microsoft, And Thanks For All The Fish

Word Version 1.1a

Word Version 1.1a

I have been using Microsoft software since 1985 when I purchased Microsoft Word and Microsoft Multiplan for my new Zenith Z160 “portable” PC. I’ve used Word continuously for thirty years at home, at work, as a university instructor, and as a published author.

I wrote my first three books in FrameMaker, a superior but far more expensive word processor ($500 per user in 1998) as required by my publishers at the time. But by the early 2000’s most had moved to Word since Microsoft had sufficiently closed the feature gap.

I’m coming to realize that this weekend might be the last time I use Microsoft software – at home anyway (I use a PC running Windows 7 and Office for work).

z160

Zenith Z160 portable computer

I ordered a new MacBook Pro yesterday, and it will arrive on Monday. The MBP comes with Apple’s versions of office programs, called Pages, Keynote, and Numbers. Next week I will try them out on my university teaching and on my current writing project. If it goes alright and I figure out all of the subtle differences, I will probably not purchase Office for the new Mac.

Part of this comes down to economics. Office for Mac costs $150 or more, and the same programs from Apple cost $20 apiece (if you don’t have a new Mac that came with them), or free with your Mac since some time in the past year or two.

I’ll post a review of Pages, Keynote, and Numbers in a month or so after I’ve been using them a while.

Still, I can’t help but feel somewhat nostalgic, as I’ve had Word with me nearly all of my adult life. But as the dolphins exclaim in Hitchhiker’s Guide to the Galaxy, “So long, and thanks for all the fish.”