I've written about my Dad several times, which is not surprising since he was the primary influence on my life.
Born in 1913 in the beautiful backwoods of Hardy County, West Virginia, Dad was a child of the Depression and knew poverty, homelessness, and hunger. He ran away from home in the seventh grade to make his living as an itinerant farmhand - picking fruit, chopping spinach, and cutting trees. He enlisted in the Navy in World War II, serving as a Navy SeaBee in the Aleutian Islands. Later, the Army became his path to an education and career – GED, a community college degree, a certified vo-tech teacher, and a Master Instructor of Diesel Mechanics. And he was a lifelong, self-directed learner. I remember the day he came home from the Harford County Library with a grocery bag full of books. He had hit the age when seniors could check out as many books as they wanted – and no fines for late returns!
Despite his crooked path to an education, Dad possessed deep homespun wisdom, and we got to see and hear lots of that growing up. When I was young and arrogant, I thought he was old-fashioned and didn't appreciate the complexity of the modern world.
As I became less young and less arrogant, I realized that Dad wasn't simple or old-fashioned. He had earned his M.S. - Master of Simplification, with Honors - from the School of Life by understanding what was important to him, focusing on the things that mattered, and avoiding distractions.
Much of Dad's wisdom came out packaged in memorable one-liners or phrases. Even when he told me a story about someone else, I think many of these were meant as gentle lessons for me.
And many of Dad's ideas, themes, and sayings surprisingly apply to our modern, high-tech, complex cybersecurity world. Even though I didn't inherit his "avoiding distractions gene," I've tried to use his lessons throughout my career and life.
Here are some of my favorites.
"It's a piss-poor craftsman that blames his tools."
Dad owned few tools, but he could build a house with a hammer and handsaw. And he took care of his tools, learned how to use them, and knew where they were (unless one of his kids failed to put something back where it belonged). In other words, he made the best use of what he had.
But in our industry, surrounded by a fog of hype, marketing, and desperation, enterprises spend too much time searching out the newest shiny box, ultimate threat feed, miracle cure, or magic beans. One of my habits in talking to security vendor friends is to ask them what percentage of your product's capability do your customers use? The answer was always on the low side, consistently between 40 and 60%. Yes, there can be lots of reasons for this, but I think the premise holds up – the search for something better often causes us to under-use what we already have.
This is certainly true for me on a personal/professional level. Over my decades in tech, IT, and cyber, I've tried every outliner, mind-mapper, word processor, timeline-generator, to-do-list manager, RSS feed reader, programming language, parser, etc. I could find. And it usually becomes an excuse to play rather than create, a moment to blame the tool rather than my procrastination.
"There's only so many ways to slice a banana before it turns to mush."
This was Dad's reminder to not overthink a problem (oh, he knew me so well), and it jumps into my head EVERY TIME I attend a management meeting about organizational redesign or strategy. Or we are wordsmithing a mission statement. We wind up slicing and dicing essentially the same 2-3 options over and over until we are tired or our time runs out. Vertical or horizontal? Organize by technical discipline or by application area? Every option has strengths and weaknesses, so it's essential to understand them and to "manage around" the weaknesses. And we make the decision in a context that will inevitably change, so it's critical to understand the dependencies and track when they change. And few organizational changes or even strategies last more than a few years anyway.
"That fella's too smart by half." "Too much book-learning, not enough life-learning."
These often came out of his mouth in the same spirit of "don't overthink the problem or the solution, Tony." He used experience and common sense to make up for gaps in his formal education. I remember working on some home construction project with him. He was showing me how to quickly square and level a complicated set of stairs or something similar. At some point, I realized that many of his construction tricks were simplified heuristics based on classic geometry or trig problems. Good grief, I had studied this for multiple semesters and never realized how to apply it.
"You don't shoot flies with a cannon, Tony - you might achieve your objective, but the cost and collateral (damage) will kill ya'. "
In addition to his caution about overthinking, Dad also warned about overdoing. More tools mean more cost, training, information overload, and integration problems. I've heard many ludicrous numbers from friends who have tried to inventory all the security tools running in their enterprises. And we often try to aim a cyber-tech cannon at problems better managed by improving IT operations. Or we spend grand amounts of money and energy to react to problems instead of preventing them. It's like shooting flies with a cannon instead of putting screens in the windows. In another metaphorical twist, many years ago a colleague quipped that in the cyber defense business, "Firefighters are heroes, sprinkler installers are zeros."
"That fella is so slick he could sell icemakers to the Eskimos." (And his complementary phrase, "That fella's so dull he couldn't sell space heaters to the Eskimos.”)
I guess his time as a Navy SeaBee in the Aleutian Islands gave Dad a particular fascination with that part of the country. This line comes to mind every time I walk onto the vendor floor of any big industry conference; it was one of the motivators for my "Fog of More" talk at RSA in 2014. The general theme: we have never had more or better tools, insight into attackers, and training in the history of cyber defense. But all these riches have become the problem. We haven't empowered defenders – we've overwhelmed them in a "fog" of more technology, marketing claims, requirements, oversight, and complexity. I've spent a career fighting for Democracy – but I love capitalism too. Marketing, and the hype and confusion that can go with it, is just part of the landscape of technology.
"Even a blind squirrel finds an acorn once in a while - but he shouldn't count on it for his next meal."
This is also an example of how Dad often had his own twist on an old standard saying. He loved puns, song parodies, a new twist on an old idea, and almost any sort of wordplay.
In his lifetime Dad experienced every form of good and bad luck a man might encounter. It's a tribute to his character that those experiences left him grateful and compassionate, rather than scarred and bitter. And when good fortune came his way, he never took it for granted, never saw it as his due. And it never stopped him from continuing to prepare for the inevitable rainy day.
I think this saying captures the attitude of many enterprise owners, at least in the early days. "We haven't been attacked yet." "No one would attack us, we're too small." Or perhaps the executive decision-maker classic, "I accept the risk!" By the way, that last one is actually true. Cyber security is an executive responsibility, a fundamental risk function for an enterprise. But sadly, that last statement is often said in frustration - with our industry, with security wizardry, with unintelligible or unhelpful opinions - not as the output of a knowledgeable consideration of risk, in the context of the total corporate risk environment.
"Unwritten rules aren't worth the paper they're not written on."
Dad loved to watch baseball on TV, and this came out of his mouth every time an announcer referred to one of the "unwritten rules" of the game.
Undefined or inconsistently defined terms; mysterious acronyms and esoteric language; wizardry instead of science; opinions disguised as data; complexity instead of clarity. These are some of the unwritten rules of the cybersecurity business.
"Tony, all you have in life is your good name. And it's worth even more if you spend it once in a while. "
There were times in his life when literally all he had was his good name. For Dad, a good name was a function of a good life, beyond any material or social return. This was Dad's gentle admonition to me. It's great to be liked, to have a good reputation. But you need to spend it on good causes, to do right, even when it's not easy or popular.
And that's where I find myself today - at a stage where I ask, "Where shall I spend my good name?"
"I won't be on this earth forever, but I'll always be available for consultation."
No truer words were ever spoken. Thank you, Pappy - for everything!
