Posted on

The Military Has Given Me a New Coping Tool

Through my work in the information security industry, I’ve come to appreciate a decision-making cycle created by military strategist and U.S. Air Force Colonel John Boyd called the OODA Loop (observe–orient–decide–act).

Mood Music:

It was designed as a combat operations process but has become more widely applied to commercial operations and learning processes. The basic idea is to use agility to overcome the raw power of opponents.

I’ve been fortunate in getting to know some super-smart people who use it for cyber security and, in the current environment, operations in a pandemic. The OODA Loop site, operated by OODA LLC founders Matt Devost and Bob Gourley, has become daily reading for me.

Lately, I’ve been taking this to the meta-personal level, trying to apply it to how I conduct myself daily and keep steady as a guy living in uncertain times with a mind sometimes hobbled by OCD, anxiety and depression.

I’m not sure if this is even a logical path. I’m hoping my friends in the OODA Loop realm will have comments about it after reading.

I’m using it against the raw power of the depressive and anxious effects of the current lockdown, which has fueled the potentially destructive side of my OCD and threatened to cripple me within the mental battlefield.

Observe: Since early January, I’ve kept a daily eye on the infection, recovery and death rates, as well as geographic spread. I’ve opted for emotionless data points from the likes of Worldometers. As the data has painted a picture of trajectory, my feelings have ranged from disbelief and denial to fear and uncertainty. Along with the useful data points are myriad articles that make predictions based on information that varies widely in levels of emotion and accuracy. This makes useful observation tricky.

Orient: By late February, as the data points showed a clearer picture of what by then was, to me, an inevitable pandemic, I started to work on adapting my brain to the idea that this would be a daily reality and that I’d have to keep being my best self as the world spiraled out of control. I doubled down on my exercise and food regimen, went from an originally planned 60-pound weight loss to 75 pounds (just about there now), and started to shift my daily research efforts to anything that would help clients stay running amid lockdowns and mass working from home (WFH).

Decide: About two days before my company moved to full WFH mode, I decided to quarantine from the office, at least. I had been to the RSA Conference in San Francisco a couple weeks before and news had just arrived that a couple attendees had contracted the virus, one of whom was gravely ill (he has since recovered, thank God). I was just shy of the two-week mark of returning home but didn’t want to chance becoming a risk to co-workers. In doing so, I was making a choice to hunker down for the long haul.

Act: Since then, I’ve done my damndest to stay healthy physically and mentally. I walk each morning and take afternoon drives. I’ve strived to do my job in the best ways possible, focusing on clear, step-by-step guidance to help clients protect the platforms and tools they currently rely on as everyone works from home — VPNs, videoconferencing, messaging — and I’ve used this blog to help keep the public discourse rational and hopeful while making note of coping mechanisms for those predisposed to mental disorders. I’ve stayed connected to friends through Zoom “happy hours.” I wear a mask and gloves when I have to go out.

When the constraints of being homebound make my temper boil over (I’m ashamed to admit I yelled and angrily slammed my iPhone down one night because a restaurant left something out of our takeout order — not my finest hour when dealing with a trivial, first-world problem) I’ve sought ways to release the pressure.

I’ve always favored hard rock music but in recent weeks my choices have veered to the heaviest end of the spectrum — including battle music from different TV shows and films. Today’s mood music is one example.

And I’ve found a simple, fun way to grind out feelings of angst. Erin got me a manual coffee bean grinder for Easter and I’ve found it’s good, aggressive fun to pace around the house while grinding beans.

I guess we’re never too old to learn new coping mechanisms, especially when sanity depends upon it.

Though I’m not at all certain I’m using the OODA Loop as intended, it has at least given me another way to keep fighting. I’m grateful.

Posted on

In InfoSec, Fear Shouldn’t Be a Barrier

As some of you know, I’ve been deliberately signing up for uncomfortable, even scary tasks at work. Not scary in the grand scheme of normal life, but they are things a guy with a journalistic background doesn’t come to easily.

This time I’m managing an incident management schedule. Managing schedules in any form is something I suck at, so it’s appropriate that this responsibility has crashed into my wheelhouse.

Mood music:

Truth be told, I didn’t take this job for the specific purpose of facing fears. I’m nuts, but not to that extreme.

But I did want to be part of a security team instead of merely writing about what other people do. To do that, getting outside my comfort zone was inevitable. It’s something I wouldn’t have done 15 years ago.

People in my industry assume I know how to conduct a penetration test, process software vulnerabilities and manage compliance operations. Truth is, I know how to write about this stuff, but I’ve never actually done these things. I never claimed that I had, but since my writing has veered unashamedly toward the side of security advocacy, I can see where people might make the assumption.

What I’m learning so far counts as baby steps.

In recent months, I’ve attended a training session on how to be an threat incident response manager and processed my first three vulnerabilities. I still can’t say I know what I’m doing, and I expect to screw up plenty when my time comes to jump into the fire. But the mechanics aren’t so alien to me now, and that’s a quantum leap.

A few years ago, the terror of the unknown and fear of failure would have kept me from doing any of this stuff. Training can seem like routine to some folks, but when you live with things like fear, anxiety, depression and OCD, the wall to climb looks much higher than it really is.

That’s not to say I’m going about all these things in a carefree manner. I still have my episodes of self-doubt. I still experience stress when thinking about how best to manage the new skills in tandem with the editorial and writing skills that encompass 90 percent of my job.

But unlike the old me, I know I can do it. I’m at peace with the mistakes I know I’ll make. I’m prepared to be the guy people talk about in meetings when the subject turns to who fucked what up during an incident. These days, I can show up.

All this training a gift. So is the fact that I can accept the gift. And even though mistakes are inevitable, I can accept that as part of the learning process.

feet standing on hot coals“Walking on Hot Coals” from the Wallpaper Converter site.

Posted on

You See a SecBurnout Cult; I See Common Sense

Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.

People have made five observations:

  1. The data is far too insufficient to declare a problem specific to the security community.
  2. Without data, all we have is opinion.
  3. The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
  4. I’m trying to superimpose my issues onto the rest of the community.
  5. I’ve gotten too caught up in the noise coming from the SecBurnout people.

That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.

  1. Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
  2. Well-formed opinions based on experience are useful.
  3. I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
  4. The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
  5. I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.

This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.

It’s as simple as that.

bill the cat giving rock sign

Posted on

Katie Moussouris: Profile in Fortitude

Friends in the information security community continue to inspire me. Last week, it was Trey Ford. This week, it’s Microsoft senior security strategist Katie Moussouris.

Mood music:

Katie has had a huge year at Microsoft and in the wider security industry. After a seemingly eternal push, she succeeded in getting a bug bounty program off the ground, ensuring that the software giant will find and patch many more security holes than it has before. She traveled the globe nonstop, speaking, teaching and organizing for a multitude of security events.

And she did it despite adversity that would have crushed many good people.

She endured a divorce and continued to grieve from losses she suffered two years ago — both parents and a best friend from childhood died that year. There was a parent’s estate to settle, a high-pressure matter no matter how agreeable people try to be.

She continued to be a dedicated mom to her two children, even while circling the globe.

In short, she pressed on, refusing to let personal calamities derail her work.

She touched on this in a June 30 Facebook post, noting how she was having the weirdest, saddest, happiest, yet oddly most productive past couple years of her life. Years spent growing, grieving, gestating, breastfeeding, estate settling, celebrating births, and honoring lives cut short. And working to turn the heresy of a Microsoft bounty into gospel in the midst of it all swirling around and through her.

What she’s been through isn’t unique, and as I’ve noted many times before, we all suffer: We go through career challenges. We lose loved ones. Marriages crumble.

But when people do it with exceptional grace and fortitude, I like to celebrate them.

Here’s to your continued success, friend.

Katie Moussouris