Drinking at Security Cons

A friend from the security community, Rob Fuller, has written a post about drinking at conferences. It’s an activity I engaged in with abandon until I decided to quit drinking on New Year’s Day 2010. His post reminds me of what the transition to sobriety was like in conference settings.

I drank my way through the first few RSA conferences to cope with nerves. You could drink all you want for free at the vendor parties, so it was an easy crutch to grab for. At RSA 2010, I was in hell. I stayed sober but didn’t know quite how to behave or deal with people who were drunk. I looked back at my posts from that week, and found this snapshot of what I was feeling:

So here I am in San Francisco for the RSA conference and Security B-Sides events. I’m at a lot of events that involve drinking and instead of wine I’m sucking down club sodas and Red Bull. And, truth be told, I still have trouble feeling at ease in the crowd without the wine buzzing beneath the skin of my forehead.

Fortunately,  each subsequent event got easier for me, and now I’m at ease in a crowd full of drinkers. I also realized from the beginning of sobriety that there is a support system. People have held AA meetings during RSA and ShmooCon. And when you let it known you are no longer drinking, there are people who look out for you. Getting that support from the outset definitely helped cement my affection for the security community.

I’ve been asked more than once if I ever get pressure to drink at these events.

Never.

In his post, Rob wrote that he believes there’s too much drinking going on and wants his peers to throttle back.

It’s certainly not an issue that’s unique to the security community. I know people from other industries who tell similar tales of drinking and debauchery at conferences they attend.

Do conference attendees drink too much? Do they need to get better control of themselves? I think it really depends on the individual. Most people handle their liquor just fine. I wish I had that ability. It really comes down to whether the individual feels they have it together.

If you feel like conferences are nothing but a blur of hangovers and you don’t like it anymore, you probably need to consider a modified lifestyle.

Of course, someone with a drinking problem can think they have it together but be a total wreck. If conferences are nothing but a drunken blur, whether you like it or not, you should sober up.

I’m just grateful I found a way through my own challenges.

men toasting each other

Addicted to Accolades

Last year, David McCullough Jr. — longtime Wellesley High School English teacher and son of one of my favorite authors — gave a commencement speech in which he told graduates the hard truth: They’re not special.

Mood music:

You can see the whole speech here, but here’s a key passage for me:

In our unspoken but not so subtle Darwinian competition with one another — which springs, I think, from our fear of our own insignificance, a subset of our dread of mortality — we have of late, we Americans, to our detriment, come to love accolades more than genuine achievement. We have come to see them as the point — and we’re happy to compromise standards, or ignore reality, if we suspect that’s the quickest way, or only way, to have something to put on the mantelpiece, something to pose with, crow about, something with which to leverage ourselves into a better spot on the social totem pole.

I loved that speech, as did a lot of friends and colleagues. But an uncomfortable truth hit me: McCullough wasn’t just talking about the teenagers in caps and gowns. He was taking about us adults, too.

In this world of Twitter and Facebook, we’ve become addicted to accolades. Not every single one of us, but many of us, myself included.

I found myself thinking about it this week after watching some industry colleagues discuss the notion that our community has “too many rock stars and not enough session players,” in the words of Jack Daniel. In my opinion, Daniel is one of the biggest security rock stars out there.

There are a lot of rock stars in the security industry. Hell, every industry has ’em. I do not count myself among them. Not even close. People like Jack rose to that status by doing the hard work and having the balls to discuss difficult issues in front of crowds full of skeptics and cynics.

I know a lot of session players, too. They shun the limelight and prefer to tinker away in peace.

Though I don’t consider myself a star, I do love getting positive attention for work I’ve done. I’ll even admit I’m addicted to it.

Sure, I value negative feedback as a necessity for personal growth, but I also find it crushing sometimes. Not because it’s unfair, but because I have a big ego.

The bigger the ego, the harder the fall.

I love rock stars, in my industry and beyond. If I ever rate being one, I hope it’s because I did something important, not because I wanted such status. I trust y’all will help keep me honest.

The Book of Rock Stars book cover

Bullied by the Word “Bully”

Walk into any school these days and you’ll see anti-bullying posters everywhere. I’m happy to see it, because kids need to learn what it is and how to stand up for themselves. Unfortunately, they’re taking cues from grownups who don’t always know what they’re talking about.

Mood music:

http://youtu.be/d2rmScLelmE

I was reminded of this after reading a blog post from Brian Martin, A.K.A. Jericho, of attrition.org.

Martin got into a protracted debate recently with Elizabeth Weidman, mother of security practitioner Georgia Weidman. I’m not even going to attempt to piece together the string of comments that lead to the inevitable cry of bullying, but I’ll do my best to give you the gist: Georgia tweeted something Jericho disagreed with. Jericho responded. Georgia didn’t like the response. Then Elizabeth came to her daughter’s defense:

Is this really the InfoSec community you want? Stand up for what you want. Don’t let the bullies of InfoSec do this to people. Stand up to them. Support each other loudly. If you don’t, this is the InfoSec you get. Georgia’s gone to some pretty dark places out of inexperience, out of fear, and out of mistakes she admits were her own. She’s made it out, I hope, but what about other new people in InfoSec, other people going through a hard time? Is it going to take someone dying to make you see/care?

Which led to Jericho’s response, which focuses on misuse of the word bully.

If we can arbitrarily call it “bullying” solely based on one side’s perception, then we’re all equally guilty of bullying. If I call you a jerk, and you call me an ass in return, we are both potentially guilty of it. In reality, I think we can all agree that is a bit absurd.

I don’t always agree with Jericho, but in this case he has a point. There’s a lot of snark, sarcasm and hearty disagreement in the security community. It plays out on Twitter around the clock. And while people can be assholes at times, I don’t think they can be called bullies. Not as it’s described in multiple dictionaries at least. Jericho offers a few definitions in his post, and writes:

The words threat, force, and coercion appear more than once in the definitions above and are the crux of what bullying is about. Everyone who is now equating the term “bullying” with anything less than a malicious, sustained campaign of hatefulness with the intent of coercing/threatening is the worst sort of cowardice and dishonesty. They are doing a disservice to society and themselves.

I was bullied as a kid. I also did more than my fair share of bullying. It’s something I regret. But while people can be jerks on Twitter, I don’t think it comes close to bullying.

People disagree with me frequently, which I expect and appreciate as a blogger who throws a lot of strong opinions out there.

Recently, some friends strongly disagreed with my posts suggesting we be more civil in the security community. I disagreed back, and at times I got annoyed. But I never felt bullied. I was being disagreed with, not threatened or forced to take a certain position.

If we can’t get it straight as adults, the anti-bullying education we’re trying to give children will be for nothing.

John Boehner Crying

You See a SecBurnout Cult; I See Common Sense

Some folks are pissed over my recent posts about efforts in the security community to fight job burnout and depression. I won’t change your minds, so I’ll just clarify a few things and move along.

People have made five observations:

  1. The data is far too insufficient to declare a problem specific to the security community.
  2. Without data, all we have is opinion.
  3. The greater InfoSec Burnout movement and I have made it sound like this is an infosec problem or a workplace-centric problem rather than what it truly is: a mental health problem that the individual already has and brings to whatever job they have.
  4. I’m trying to superimpose my issues onto the rest of the community.
  5. I’ve gotten too caught up in the noise coming from the SecBurnout people.

That last line makes it sound like I’ve joined a cult of misguided infosec egotists who can’t see past their upraised noses. What follows is my opinion on each of the points above. I speak as an individual, not as part of any organized movement — security or otherwise.

  1. Data isn’t everything. I write from personal experience. Part of that includes discussions I have with distressed peers. It doesn’t always take a study to see a problem.
  2. Well-formed opinions based on experience are useful.
  3. I’ve said it repeatedly: A mentally ill person can be sent over the edge by their work circumstances, but in the final analysis the problem starts with them. I used to be crazy and work stress was a trigger. But the problem was always my inability to deal with stress. I had to be the change. I had to get treatment and find the coping tools. I had to create a new me. So it is with everyone.
  4. The notion that I’m superimposing my issues on the larger community is laughable. I didn’t start out on a mission specific to this community. It’s still not a security-only thing. But there are people who came to this community with mental illnesses who could use a helping hand. If I can share what I’ve learned in my own recovery with industry peers, I will. Maybe it’ll help them cope better with the stresses of the industry. Or maybe it’ll just help them cope better with life in general. Either way, it’s a win.
  5. I don’t believe I’m caught up in “noise.” I know where I’ve been and who I’ve talked to. When asked, I’ll always share what I’ve learned and who I learned it from. I’ll also be the first to admit I’m imperfect and still a work in progress.

This has never been about suggesting there’s a problem special to infosec. I don’t see a pandemic within the community. I see friends and colleagues grappling with territory I’m familiar with.

It’s as simple as that.

bill the cat giving rock sign

You’re a Good Man, Trey Ford

As most of my friends in the information security community know, one of our own — Trey Ford — got left out in the cold last week when Black Hat’s powers that be decided they no longer needed a general manager to handle their annual summer conference. He’s following the proven path of seeking new job leads on the social networks.

But he’s doing something else that makes him worthy of mention here.

Mood music:

http://youtu.be/-BTad4tTdrE

Most people would single-mindedly push forward on their own job hunt, and that’s not a criticism. When you have bills to pay and mouths to feed, you have to do what’s necessary to get re-employed as quickly as possible.

But knowing that a lot of other people in the industry are looking for new jobs, Trey is offering to use his vast network to help them as he tries to help himself. In a message on Facebook, he said:

There are a number of folks looking for work, and I have fresh perspective on opportunities out there. Drop me an email and I will do what I can to help assist you in your hunt.

During times of global trauma, I like to refer people to a post I wrote two years ago about words of wisdom from Mister Rogers’s mother. She’d say that in tough times, the helpers always arrive.

While it’s certainly true during huge tragedies like the massacre at Sandy Hook Elementary School last year and the Boston Marathon bombings this year, it also applies to the seemingly smaller events, like someone losing a job and needing help to find a new one. In such cases, the hardship involves individuals rather than big segments of the population, but if you’re the individual who has lost income, it’s a pretty grave deal.

It warms the heart to know that there are people out there hell-bent on helping those individuals.

That someone like Trey would offer help when he needs to find work himself is damn inspiring.

Thanks for being you and Merry Christmas, friend.

Trey Ford

Infosec’s Mental Health Role Models

This weekend some friends asked about the reaction this blog has had in my industry. Truth is, I was unprepared for what followed the blog’s launch four years ago. In hindsight it makes perfect sense.

Mood music:

Friends asked if my information security colleagues were weirded out by the blog and whether it had an adverse effect on my ability to interview people.

In fact, the opposite happened.

By the time I was done baring my soul, people I had known through my business life were sharing stories about their own run-ins with mental illness. I didn’t expect that because I had been accustomed to dealing with some pretty tough characters. But people who had previously intimidated me were opening up, and I made dear friends when I least expected to.

I shouldn’t have been surprised, because the security industry is full of high stress and paranoia. More importantly, those who are drawn to the world of hacking and infosec have complex personalities and brain chemistry and are given to depression, feelings of loneliness and self-destruction.

Obviously, this isn’t something limited to the infosec community. People from all walks of life are prone to these challenges. But infosec is the world in which I’ve had the most experience observing the human condition.

As someone who has struggled with plenty of mental trauma, I’m thankful as hell to be part of the infosec community. I’ve witnessed extraordinary resilience and honesty among my peers, and they have inspired me to be a better man, constantly working to deal with the ghosts that still haunt me on occasion.

I’m grateful to infosec friends who haven’t taken the scourge of mental illness lying down. There are those who started and maintain The Information Technology Burnout Project to help those suffering with work-induced emotional and psychological distress.

And there are people like Amber Baldet, who has taken her suicide hotline skills to another level with a presentation on suicide prevention tactics that she has given at least twice at security conferences. Her presentation can be viewed online, as well.

Now more than ever, I believe I’m in the right industry. I’ve learned a lot about the technology and culture. But more than that, I’ve learned a lot about how to carry on in a world of perpetual adversity.

Skeleton Headache

Friends Of The Gifted Need To Learn Suicide Intervention Tactics

One thing I’ve learned over the years: Some super-smart, super-gifted, ahead-of-their-time people often battle with depression and eventually lose their war. So it was for my best friend who took his life 16 years ago. So it has been for far too many of my industry peers.

Mood music:

I’m thinking of them and for those who continue to struggle with depression daily. I’m grateful, particularly in my industry, for those who have stepped up to support those who need help.

A few years ago, one friend suggested creating a suicide intervention tactics workshop at security cons, focusing specifically on gifted tech folks who are particularly vulnerable. That idea has led to a lot of great content that has no doubt saved lives.

If there’s one thing I’ve learned since starting this blog, it’s that depression and anxiety run high in the information security industry. I’ve had many discussions with people who have battled their own demons. All of them were brilliant, innovative and downright gifted.

They remind me of my long-dead friend. I often think about how his intelligence made him hyper-aware of the world around him. He had moments of extreme joy and extreme pain. You could say he knew too much to be happy.

If there’s one thing I wish I had back then, it would be the skills to see where he was headed and the tactics to help him back off the ledge.

To Amber’s point, friends and colleagues of the sufferers in our industry need to learn tactics to make a difference.

I don’t consider myself gifted, but in the last several years I’ve found tools to cope with my own depressed feelings. I’ve learned to use music, humor, writing and counseling as weapons against the dark. Medication alone is never enough. Sometimes, it makes things worse.

Those tools are essential, as are tactics we could all use to help those who can’t seem to help themselves. Putting those things on display at tech conferences (virtual and, eventually, in-person again) could be as important as the technology on display.

I’ll keep trying to do my part to make it happen.

Skeleton in Pain