Cognitive load is real | Seth’s Blog:

Here’s my list, in order, of what drives behavior in the modern, privileged world:

  • Fear
  • Cognitive load (and the desire for habit and ease)
  • Greed (fueled by fear)
  • Curiosity
  • Generosity/connection

The five are in an eternal dance, with capitalist agents regularly using behavioral economics to push us to trade one for the other. We’re never satisfied, of course, which is why our culture isn’t stable. We regularly build systems to create habits that lower the cognitive load, but then, curiosity amplified by greed and fear (plus our search for connection and desire to love) kick in and the whole cycle starts again.

I like Seth’s set up for this but not the corporate entity as the example. Here’s a sanitised version:

…without habits, every decision requires attention. And attention is exhausting.

And it’s stressful because the choices made appear to be expensive. There’s a significant opportunity cost to doing this not that. … what are you going to skip? What if it’s not worth the [time or wait]? What are you missing?

It’s all fraught. We feel the failure of a bad choice in advance, long before we discover whether or not it was actually bad.

What consistently good communicators do:

What consistently good communicators do: Prepare thoroughly, show up on time, seek to understand, be thoughtful about their contributions, pay attention to non-verbal cues, and follow up.

When they do all of this, they succeed in reaching the people they’re speaking to in the right context – unerringly.

It turns out that being a consistently good communicator is largely determined by what we do when we’re not trying to communicate.

This post came out a while ago. I was reminded to write about it when I saw the 16 April Daily Stoic entry, OBSERVE CAUSE AND EFFECT:

“Pay close attention in conversation to what is being said, and to what follows from any action. In the action, immediately look for the target, in words, listen closely to what’s being signaled.”

To both quotes, there is an undercurrent of presence, of being in the moment when communicating. Being distracted by a laptop, tablet, or phone takes away from that presence.

The other undercurrent is that communication is, by definition, bidirectional (or full duplex for the networking nerds out there). It’s funny to me how many people forget that.

Git and Plain Text for Writers | Irreal:

Although the article, by Seth Kenlon, is advertised as considering the question “Why (prose) writers should use Git,” I think the more important takeaway is that writers should embrace plain text. Kenlon makes a persuasive case that authors would be better off trashing their word processors and using a combination of a text editor and Markdown.

Kenlon’s text editor of choice is Atom (although he does mention Emacs as an alternative), which is, I think, leaving money on the table. Other than the obvious but subjective judgment that Emacs is a better, more customizable editor, it is virtually universally acknowledged that Magit is the best Git interface—integrated or not—and that Org mode markup is superior to Markdown, especially when its Babel interface is taken into consideration.

Of course, those are the opinions of an Emacs partisan so others may disagree but it’s hard to see how one can argue about Magit or Org mode. In any event, the important point stands: embrace plain text. If you do any writing at all, you should take a look at Kenlon’s article, especially if you’re still using Word or one of its evil offspring.

There’s more here and here.

RSS vs. Twitter | Irreal:

Lots of folks love Twitter, of course, but at least for my purposes, RSS is a much better solution. A Tweet is a good way to discover that the latest version of Emacs, say, has been released but if you want thoughtful analysis a blog or technical article is a much better bet.

Cybersecurity | Daniel Miessler:

Cyber Security—also called Information Security, or InfoSec—is arguably the most interesting profession on the planet. It requires some combination of the attacker mentality, a defensive mindset, and the ability to constantly adapt to change. This is why it commands some of the highest salaries in the world.
“Cyber” vs. Information Security

One of the most common questions in the computer security industry is the difference between Cybersecurity and Information Security. The short answer is, “not much”. But the long answer is, well…longer.

Essentially, “Cyber” is a word from pop culture that actually fit our digital future fairly well, with the merging of humans and technology and society. In the beginning, “CyberSecurity” was used as a way to glamorize or sensationalize computer security, but over time people started using it in more and more serious conversations. And now we’re stuck with it.

If I had to give any distinction today (2019) it would be that Cybersecurity is a bit larger in scale than Information Security.

Read on in Daniel’s article for how he breaks Security down.

In general I think his taxonomy is spot on for the difference between Information Security (InfoSec) and Cyber Security. I am one of the people he references here:

People who’ve been in Information Security for a long time tend to really dislike the word “cyber” being used in a non-ironic way to describe what we do. But we’re getting over it.

I don’t always agree with Daniel’s writing, but this is a nice index.

Great Emacs config:

Tl;dr: The takeaway here is to install the SuicaEng app on your iPhone. Use the regular Suica app if you read Japanese and/or need advanced features.

Region Settings and Apple Pay – Ata Distance:

The iOS Region Setting and Apple Pay are linked together in interesting ways that has changed with iOS versions. Up through iOS 10, devices needed to have the Region match the country they wanted to add and use cards in: iPhone had to be set to Japan to add and use Japanese credit cards in Apple Pay, and so on.

This was a pain when I first came to Japan.

This changed in iOS 11 with global FeliCa iPhone and NFC switching. The Region setting only needed to be changed to add a card for any particular country and had nothing to do with using it. This is because Apple Pay Wallet only displays the card options that match the Region setting and acts like a filter …

After adding a card, the Region setting can be anything as Apple Pay ignores it and takes care of the rest.

This was wildly unintuitive. I discovered it on accident when I set up my new iPhone.

Many inbound users don’t realize this and have avoided adding Suica to Apple Pay under the misconception that the iPhone/Apple Watch Region has to be set to Japan to use it.

…as one would expect.

Wallet behavior is the same in iOS 12, even with the iOS 12.2 UI tweaks, but the Region setting can be completely ignored when adding cards to Apple Pay with an app like SuicaEng. SuicaEng simply adds Suica no matter what the iPhone Region setting is, a nice time saver because changing the iPhone Region is a mini restart.

The SuicaEng app is almost perfect. It provides just enough functionality for 95% of Western travelers if they read English – and they don’t need to be able to read much at that.

Another small change from iOS 11 is that if you have a Suica card deleted from Wallet that is parked on iCloud, Wallet will show you the Add Suica option no matter what the iPhone Region setting is. It’s a nice touch and reminder in case you ever forgot you had one.

This is valuable when swapping devices or when troubleshooting issues.

I hope there is either more advanced functionality coming in the SuicaEng app or English language support in the full Suica app. As it is, with a little help from my friends I can get what I need out of the Suica Two-Step.

This simple test assesses if men are being good gender allies by Alexandra Ossola:

It’s 2019, and there’s no more denying it: hiring women is a good business decision. But keeping and retaining women is not only a matter of adding more family-friendly policies or flexible work hours. Leadership (often male) also needs to foster a workplace culture that shows women they are valued and will grow at the company.
Men may find themselves wanting to do better (well, not _all _men–a 2016 survey by compensation-focused website found just one in five men said gender disparity was a problem in their workplace). They are to be commended for that. But sometimes, they just don’t know how. From calling a female colleague “dear” to explaining something to a woman that she clearly already knows, even the best-intentioned of men can sometimes do things that slight the women around them.
Matt Wallaert, a behavioral scientist and cofounder of, a free site that helps women ask for raises at work, has a simple recommendation for men who want to know whether they’re on track: They should ask themselves if a woman in their lives is able to tell them when something they’re doing is bullshit.
I love this.
And yes, I am fortunate that I have a number of women in my life happy to call me out on my bullshit.

What is a CISO? Responsibilities and requirements for this vital leadership role:

This was a common topic on the late lamented PVC Security podcast. Let’s dive in!

CISO definition

The chief information security officer (CISO) is the executive responsible for an organization’s information and data security. While in the past the role has been rather narrowly defined along those lines, these days the title is often used interchangeably with CSO and VP of security, indicating a more expansive role in the organization.

Ambitious security pros looking to climb the corporate latter may have a CISO position in their sights. Let’s take a look at what you can do to improve your chances of snagging a CISO job, and what your duties will entail if you land this critical role. And if you’re looking to add a CISO to your organization’s roster, perhaps for the first time, you’ll want to read on as well.

CISO responsibilities

What does a CISO do? Perhaps the best way to understand the CISO job is to learn what day-to-day responsibilities that fall under its umbrella. While no two jobs are exactly the same, Stephen Katz, who pioneered the CISO role at Citigroup in the ’90s, outlined the areas of responsibility for CISOs in an interview with MSNBC. He breaks these responsibilities down into the following categories:

  • Security operations: Real-time analysis of immediate threats, and triage when something goes wrong
  • Cyberrisk and cyber intelligence: Keeping abreast of developing security threats, and helping the board understand potential security problems that might arise from acquisitions or other big business moves
  • Data loss and fraud prevention: Making sure internal staff doesn’t misuse or steal data
  • Security architecture: Planning, buying, and rolling out security hardware and software, and making sure IT and network infrastructure is designed with best security practices in mind
  • Identity and access management: Ensuring that only authorized people have access to restricted data and systems
  • Program management: Keeping ahead of security needs by implementing programs or projects that mitigate risks — regular system patches, for instance
  • Investigations and forensics: Determining what went wrong in a breach, dealing with those responsible if they’re internal, and planning to avoid repeats of the same crisis
  • Governance: Making sure all of the above initiatives run smoothly and get the funding they need — and that corporate leadership understands their importance

For a deeper dive, check out the whitepaper from SANS, “Mixing Technology and Business: The Roles and Responsibilities of the Chief Information Security Officer.”

CISO requirements

What does it take to be considered for this role? Generally speaking, a CISO needs a solid technical foundation. says that, typically, a candidate is expected to have a bachelor’s degree in computer science or a related field and 7-12 years of work experience (including at least five in a management role); technical master’s degrees with a security focus are also increasingly in vogue. There’s also a laundry list of expected technical skills: beyond the basics of programming and system administration that any high-level tech exec would be expected to have, you should also understand some security-centric tech, like DNS, routing, authentication, VPN, proxy services and DDOS mitigation technologies; coding practices, ethical hacking and threat modeling; and firewall and intrusion detection/prevention protocols. And because CISOs are expected to help with regulatory compliance, you should know about PCI, HIPAA, NIST, GLBA and SOX compliance assessments as well.

But technical knowledge isn’t the only requirement for snagging the job — and may not even be the most important. After all, much of a CISO’s job involves management and advocating for security within company leadership. IT researcher Larry Ponemon, speaking to SecureWorld, said that “the most prominent CISOs have a good technical foundation but often have business backgrounds, an MBA, and the skills needed to communicate with other C-level executives and the board.”           

Paul Wallenberg, Senior Unit Manager of Technology Services at staffing agency LaSalle Network, says that the mix of technical and nontechnical skills by which a CISO candidate is judged can vary depending on the company doing the hiring. “Generally speaking, companies with a global or international reach as a business will look for candidates with a holistic, functional security background and take the approach of assessing leadership skills while understanding career progression and historical accomplishments,” he says. “On the other side of the coin, companies that have a more web and product focused business lean on hiring specific skillsets around application and web security.”

CISO certifications

As you climb the ladder in anticipating a jump to CISO, it doesn’t hurt to burnish your resume with certifications. As Information Security puts it, “These qualifications refresh the memory, invoke new thinking, increase credibility, and are a mandatory part of any sound internal training curriculum.” But there are a somewhat bewildering number to choose from — lists seven. We asked Lasalle Network’s Wallenberg for his picks, and he gave us a top three:

  • “Certified Information Systems Security Professional (CISSP) is for IT professionals seeking to make security a career focus.”
  • “Certified Information Security Manager (CISM) is popular for those who are looking to climb the ladder within the security discipline and transition into leadership or program management.”
  • “Certified Ethical Hacker (CEH) is for security professionals looking to obtain an advanced awareness of issues that can threaten enterprise security.”

CISO vs. CIO vs. CSO

Security is a role within an organization that inevitably butts heads with others, since a security pro’s instincts are to lock down systems and make them harder to access — something that can conflict with IT’s job of making information and applications available in a frictionless way. The way that drama plays out at the top of the org chart can be as a CISO vs. CIO battle, and the contours of that fight are often established by the lines of reporting within an organization. (CSO discussed this in depth in the article “Does it matter who the CISO reports to?”) Even though both titles have “C” in the name, it’s relatively common for CISOs to report to CIOs, which can constrain CISO’s ability to execute strategically, as their vision ends up being subordinated to the CIO’s overall IT strategy. CISO’s definitely gain clout when they report directly to the CEO or the board, which is becoming an increasingly common practice. This might involve a change of title — according to the Global State of Information Survey 2018, CISOs are more likely to be subordinated to a CIO, whereas a security exec with the title of Chief Security Officer (CSO) is more likely to be on the same level as the CIO — and to have non-tech security responsibilities to boot.

3 who is in charge of the person in charge IDG / Getty Images

Placing CIOs and CISOs on equal footing can help tamp down conflict, not least because it sends a signal to the whole organization that security is important. But it also means that the CISO can’t simply be a gatekeeper vetoing technical initiatives. As Ducati CIO Piergiorgio Grossi told i-CIO magazine, “it’s up to the CISO to help the IT team provide more robust products and services rather than simply saying ‘no.'” This shared responsibility for strategic initiatives changes the dynamics of the relationship — and can mean the difference between success and failure for new CISOs.

CISO job description

If you’re part of a search for a promising CISO for your organization, part of that involves writing a job description — and much of what we’ve discussed so far lays the foundation for how you’d approach that. “Companies first decide if they want to hire a CISO and obtain approvals for the level, reporting structure, and official title for the position — in smaller companies, CISOs can be VPs or Director of Security,” says Lasalle Network’s Wallenberg. “They also need to set the minimum requirements and qualifications of the role, and then go to market for external candidates or post for internal applicants.”

CSO Senior Editor Michael Nadeau lays out in some detail how you’d approach writing a CISO job description. One of the important things he points out is that your description should make your organization’s commitment to security very clear from the get-go, because that’s how you’re going to attract a high-quality candidate. You should highlight where the new CISO will end up on the org chart and how much board interaction they’ll have to really make this point clear. Another important point he makes is to keep the job description fresh, even if you have someone in the role — after all, you never know when that person will move on to another opportunity, and this is a crucial job that you don’t want to leave unstaffed.

CISO salary

CISO is a high-level job and CISOs are paid accordingly. Predicting salaries is more of an art than a science, of course, but the strong consensus is that salaries above $100,000 are typical. As of this writing, ZipRecruiter has the national average at $153,117; pegs the typical range even higher, as between $192,000 and $254,000.

If you check out Glassdoor, you can see salary ranges for current CISO job openings, which can help you get a sense of which sectors pay more or less. For instance, at this writing there’s an open CISO position in the federal government that pays between $164,000 and $178,000, and one at the University of Utah that pays between $230,000 and $251,000.

CISO jobs

The CISO job landscape is always changing, and CSO has plenty of material to keep you up to date — how to get a CISO job, and how to navigate the career landscape. You might want to check out:

  • A CISO’s guide to avoiding certain CISO jobs” : Not all CISO jobs are created equal, and some will set you up for failure that can have negative career implications down the line. Here’s some tips on red flags to watch out for.
  • Why do CISOs change jobs so frequently?”: The average CISO only stays on the job for 24-48 months, according to market research. Find out what these fast moves mean for the industry and how you can react.
  • What is a virtual CISO?”: C-level execs aren’t immune to the trend towards “on-demand” employees who work on part time contracts rather than occupying full-time positions. This article will explain what virtual CISOs can and can’t do, which is important if you’re competing against them for jobs — or want to become one yourself.

Let’s block ads! (Why?)

(Via CSO Online)

A few notes:

The CISO/CSO and analogs suffer from a short life span and a need to impress the Board of Directors. Most CISO’s are in poor situations at the start, and anyone who aspires to such a role needs to know the disadvantages,

The CISO/CSO often reports to the CIO, which is a conflict of interest. I generally recommend reporting to CEO directly or else the COO or CFO.

CISO/CSO roles require strong reporting managers and talented teams plus reliable managed security service providers. The best way to determine their value is by measuring them. Yet many enterprises I visit fail to measure even the most obviously valuable metrics but want their Top Ten lists.

This is a solid summary of the CISO role. If you target this in your career path, this article is useful.

Complaints Have No Magic by Tina Roth Eisenberg:

Thank you for these magical words, Cleo Wade. This was one of my biggest energetic shifts, when moving to New York City, 20 years ago, realizing people don’t really complain here much. Complaining is draining. It truly has no magic. Hence my personal rule: “When I catch myself complaining about something repeatedly, I have two options: Do something about it or let it go.”
A complaint is a tool.
A complaint for the sake of complaining is wasted energy. A complaint as constructive criticism or with solution(s) adds value. To say one won’t complain means one will not effect change. How does that add value?