I believe reflection builds traction and both require routine. That said, I got into the habit – the routine – of a Sunday morning reflection of the week gone by to get traction on the week ahead.
This past week I had the pleasure of spending in-person together time with my Code42 friends and colleagues at the Disney Institute. We collaborated on everything from our company values and brand promise to our personal values and promises and how they intersect in ways that can delight our customers. I left reflecting on my personal values and promise. I have my 3 words (Positive, Present, Passionate), but have I ever written down my personal values & promise?
That was my epiphany. At Code42 we talk about our values almost everyday. We see them on our screens, hear them in presentations, talk about them in meetings and do our best to live them every day. Why don’t we do the same for our personal values? Why don’t we write them down, have them on our screen, talk about them, share them. We should. So, after much reflection, I thought I would start my week with traction – reminding myself what is most important to me. When it comes to delighting customers, teammates, peers –
I value making their voice, their time and their value matter more than mine. I believe everything is personal and that true leaders do the heavy lifting to make our customers, teammates and peers the hero.
So the year ahead is about getting traction on delighting my customers, teammates, peers by asking myself – is what I am doing making their voice, time and value matter? If not, stop.
What are your personal values? Write them down. Keep them in front of you. Share them and never compromise.
In 2021, my 3 words were: Room, Render, Rally. Each and every day I would write in my Full Focus Planner goals for that day – room goals, render goals and rally goals. Every bit of my focus centered on my three 3 words. They became the lighthouses Chris Brogan describes:
At the end of 2021, I began to wonder if I selected the right 3 words. Sure, I accomplished a lot last year. I had some great wins at work, but missed miserably on my personal and family goals. Why was that? Was I off balance? Were my priorities out of whack?
I set off on a journey to respond to those very questions with BetterUp and my coach and now friend, Will Wiebe. What I discovered, learned, used and experienced would set the groundwork for my 3 words in 2022 and my purpose, passion, promise and thus my priorities as a partner, father, friend, teammate and yes, leader. Heck, I even wrote an eBook about the journey.
The journey culminated in my 3 words for 2022:
Be Positive: Being positive is about embracing the opportunities that come with each imperfection, flaw, stumble and mistake. It’s about the constant pursuit of better. It’s not complaining about things that are wrong, instead welcoming the chance to make things right, to make things better and grow. Being positive manifests itself in the words we use, the emotions we evoke and the actions we take. To be positive takes discipline, practice, routine and support. Support from those we depend on to tell us when we’re not and affirmation when we are. I can honestly say that I have not always been positive and it has a negative effect on those around me. I know this. I embrace it as an opportunity and I choose to pursue better and welcome the opportunity to grow.
Be Present: Being present is about putting the phone down, being in the moment, looking people in the eye. It’s not multitasking during Zoom calls, or checking Instagram while your wife is talking, or worrying about that big presentation one week from now. Being present does not mean I ignore the future or stop thinking strategically or setting long term goals. It means seeing each day, each moment as a strategic step and as progress towards my goals. It’s about trusting my vision, mission, purpose and promise and celebrating each opportunity, each step, each bit of progress that happens along the way.
Be Passionate: Being passionate is about embracing my strengths, what makes me unique and staying true to myself. It’s not about second guessing myself, my influence or my contributions. It’s about doing what I love, sharing what I experience and learn, and being authentic, transparent and yes, vulnerable when doing so. It’s never being afraid to take risks, never fearing what others think or setting expectations for myself that do nothing but knock me down. I know what I want and why I want it. I know what I need to do to get there and I know where to focus. The only thing that can get in the way of being passionate is me.
I ended 2020 looking back. I am starting 2021 looking up.
I’ve been doing my 3 words since 2011 thanks to Chris Brogan for introducing me to the idea. As Chris describes the concept in his post:
The My Three Words idea is simple. Choose 3 words (not 1, not 4) that will help guide your choices and actions day to day. Think of them as lighthouses. “Should I say yes to this project?” “Well, does this align with my three words?”
In 2011, my first 3 words were Create, Move, Matter. I was turning forty that year and it was time to set a plan, make sh&t happen and find my passion. In 2020 my 3 words were Build, Brand, Balance. 2020 was all about seeing things through by staying true to myself and my team and our convictions and finding an actual work life balance, so I can be the best dad, husband and friend I could be. I had a daughter entering her last year of college another leaving home and starting college. We were becoming empty nesters, so balance felt right. The only problem – I never found it. Despite a global pandemic and working from home full time – physically being closer to my family, like many of you, I worked longer hours, nights, weekends. Maybe work was an escape. Maybe a coping mechanism for dealing with uncertainty. The uncertainty of the pandemic. The uncertainty of my daughters’ high school graduation, college experience, career opportunities. Who knows. All I know is that I failed to find balance. I failed to use my third and arguably most important word – balance – as a lighthouse.
Well, no change, no change. That’s one thing I love about starting a new year – it’s not really starting over, but it is an opportunity to reflect and hit reset on things that matter most – to establish new lighthouses and start fresh. That said, after some serious full focus planner reflection on 2020 and looking ahead to 2021 with all the optimism in the world and a ton of momentum – I landed on my 3 words:
Room: Room replaces balance and rises to the top of my 3 words. I’ve been doing a ton of reading on productivity and leadership. I recently riffed on a 2021 goal to take my time back and it dawned on me. Balance is not something you find. Who is this day and age can find time? It’s not about finding time to find balance, it’s about consciously, purposefully and deliberately making room. It’s about taking the time to make time matter. It’s about ruthless prioritization and making the room for what’s most important in life and work. Make the room and I’ll create the life work balance I’ve been searching for.
Render: Render is my output or outcomes word for 2021. It’s to “provide or give” and to “cause to be or become; aka make.” It spans everything from reading more books to writing more content to finishing home projects my wife and I have put off. Render is helping my girls explore and discover their passions – to render whomever, whatever, wherever they want to be and go. It’s about doing the same for my team and teammates at work and my community. Gone are the days complaining about Zoom meetings and feeling like I got nothing done. If I make the room, every day is filled with output and outcomes. Every day about rendering.
Rally: Rally is my action word. Nothing beats a great Nadal-Federer rally in tennis, or a bottom of the ninth, two-out Cubs rally and walk-off win. A rally is exciting, energizing, euphoric. It’s filled with purpose and passion. When done with conviction, a rally sparks confidence and becomes contagious. A rally creates experiences, milestones and memories that live much longer than in the moment. If I make room and always render, then 2021 will be filled with some great rallies that will move more than myself forward.
Words matter — especially in the buzzword utopia that is information security marketing. Let’s add another term to an ever-growing list — insider risk. While insider risk and insider threat are often considered synonymous, in all actuality, there is a difference. And the difference is in the very problem you are trying to solve. Here’s my take.
Insider Threat is a “User Problem”
Probably the most respected definition was written (and updated in 2017) by Carnegie Mellon’s CERT Insider Threat Center:
“Insider Threat – the potential for an individual who has or had authorized access to an organization’s assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.”
According to CERT, insider threat is all about the individual, the person, the employee, the user. Every possible user action that may cause harm to an organization is covered. That includes fraud, IP theft, sabotage, espionage, workplace violence, social engineering, accidental disclosure and accidental loss or disposal of equipment or documents.
Given this widely accepted user-centric definition, security buyers often look to user-centric tools — like user behavior analytics (UBA), user and entity behavior analytics (UEBA) or user activity monitoring (UAM). Tools like these collect and analyze mountains of user activity metadata that gets pumped into a SIEM, correlated with other data and automated through a SOAR. Voila — your insider threat problem is solved.
If only it were that simple. The truth is that user-behavior and monitoring tools are just one piece of the puzzle. Relying solely on UBA, UEBA or UAM tools can keep you guessing at what, I mean who, is a real threat.
Insider Risk is a “Data Problem”
Insider risk is a different ball game. When it comes to managing or mitigating insider risk, the focus shifts from centering solely on the user, to taking a broader, holistic approach to understanding data risk. No standards body, to my knowledge (unless you consider Microsoft a “standards body”), has defined insider risk. So, we created a (short and sweet) definition:
“Insider risk occurs when data exposure jeopardizes the well-being of a company and its employees, customers or partners.”
The keywords are “data exposure.” Insider threat is a user problem. Insider risk is a data problem. At Code42, we solve for both, but our approach centers on the risks of data exposure. Heck, our product’s console is called the “Risk Exposure Dashboard” and our annual research report is titled the “Data Exposure Report.” The fundamental difference between user-centric insider threat tools (UBA, UEBA, UAM) and an insider risk solution like ours is that they take a policy-based approach, whereas we take a math-based approach. Our approach takes into account all sides of the equation:
File + Vector + User = Risk
We look at all data (not just classified data)
We factor in vector detail (endpoint, cloud, email, trusted vs. untrusted domains, corporate vs. personal)
We consider every user (not just users with current or past privileged access)
When all three variables of the equation are taken into account, you end up with an insider risk signal that is — dare I say — real. Here is an example:
Sales Strategy presentation not labeled or tagged as sensitive
Uploaded to Dropbox – an unsanctioned cloud service
The user changed the file type, zipped it and encrypted it
The indicators of insider risk resulting from data exposure are stronger when factoring in the data, vector and user file activity (threat context). There are dozens of insider risk use cases like the one above that completely fly under the radar of most security tools, hence the reason to approach insider risk holistically:
The tool by rule watches labeled or tagged data (e.g. DLP)
The tool by rule watches specified vectors (e.g. CASB)
The tool by rule watches on-network employee application usage (e.g. UBA, UAM)
Now, you could take your DLP solutions for endpoint and email, your CASB, add UBA for users, and pull in network logs, identity and access management logs, etc. into your SIEM, run all kinds of policy-based correlations and queries and say you’re covered. This rules-based approach is designed for large, sophisticated and mature security teams — and even the most sophisticated security teams are strapped for time and frustrated with all of the complexity and noise involved in maintaining such systems. And after it’s all said and done, are the systems even working? There are countless examples that they are not.
Insider threat or insider risk? It comes down to deciding to take a policy-based approach centered on human foresight or a math-based approach centered on data exposure. When it comes to solving for insider risk, follow a simple formula and do the math. Because at the end of the day, math — as opposed to guesswork — always wins.
As I reflect on 2020 and think about 2021, one thing became abundantly clear – I never created, thus never committed to the foundations of Full Focus – the daily ritual and ideal week. Quarter after quarter, the pages were blank. As a result, the very habits and rituals I set out to establish in 2020 never got off the ground. Sure, I had a morning ritual: shower, listen to a podcast, walk to Caribou Coffee, order a large cold brew, walk home, plan my day. But, after that, my day was in the hands of others and Zoom all the way up to 5:00, or until everyone else’s ideal day came to a close.
Then, our company created Thinking Thursday’s – this block of time on Thursday mornings where there are no Zoom calls, no meetings, ideally no Slack messages or email. Three to four hours to just read, think, write, reflect – whatever and however we chose to use the time. Many used the time to “play catch up” on tasks, actions, emails, projects, but for me, that defeated the purpose of Thinking Thursday. It’s designed to be a time for curiosity, ideation and epiphany. A time to read, write and render. A time to reflect, reimagine and reframe. I took the time to do just that and create daily rituals and my ideal week.
I started with four buckets of time and gave them an identity – a personal purpose.
Mind Heart Home – Time to connect with myself, family, friends.
Read Write Render – Time to create ideas, plans, content.
Teamwork – Time to collaborate with co-workers, peers, partners.
Tasks – Time to complete actions, emails, updates.
Then, I thought about how much time should be dedicated to each bucket – a personal promise.
45% Mind Heart Home – Time to connect with myself, family, friends.
20% Read Write Render – Time to create ideas, plans, content.
25% Teamwork – Time to collaborate with co-workers, peers, partners.
10% Tasks – Time to complete actions, emails, updates.
Then I began mapping the my ideal week. I looked an my current calendar, my commitments, my projects, plans and priorities. Since I’ve been known to think in PowerPoint and Google Slides – I call it “slideation” – I began visualizing my ideal week and creating blocks of time for each personal purpose. Where I ended up was crazy close to my personal promise.
47% Mind Heart Home
19% Read Write Render
I’m not calling this a new year’s resolution. It’s more of an end of the year commitment to take my time back. Once I commit, I just might create the very habits and rituals I need to have full focus and reach my goals in 2021. I guess only my time will tell.