Waving, Not Drowning

I have just stepped off the stage at the Pulse Conferences CISO 360 Congress in Rome having presented on “The True Cost of Security, A Personal Story”, recounting my experience of poor mental health. I published my life threatening experiences in my Blog, Drowning not Waving, published a few months ago, and those of you with good memories will recall those events also took place in Rome in September 2017.

I haven’t been back to Rome since then until now to do this talk, and so I am doing so with significant apprehension and unease. It’s an odd feeling, and one I haven’t experienced since my breakdown, but it is one that I will work through and will ultimately do me good. I also have to thank the incorrigible Clive Room of Pulse Conferences for giving me the opportunity to do this talk to a significant audience, and in Rome also. Personal stories are always so much more powerful, and if people in the audience either get the help they need, recognise others in their lives who need the help they need or even just understand that it is a perfectly normal thing to go through, then it will be worth it.

It is also the last time I will be publicly talking about this topic.

I have been approached many times since my original post by people thanking me, empathising with me or generally being extremely supportive as my post had a personal impact on them in some way. In short, the response has astounded me. However, I don’t want to be known as “the mental health guy”; the point of my story is that I recovered, got better, moved on and actually came out a better person. The point of my story was that it was a transitory period of my life and not one (for me) that I have to keep going back to in order to maintain my recovery. The point of my story was to let others know that they are not alone.

Does this mean that I don’t care about this topic any more? Obviously not, and I will always be happy to engage with people about it, help and support them if needed. I am always going to “available” if that is the word, to anyone that feels I may be able to help them.

It does mean that this will be the last time I blog about it, present or appear on a panel on the subject or make any kind of public appearances or endorsements on the topic. Some of you may think this is a bit odd, or maybe even callous and cold, and I understand that. However, this is what is the right thing to do for me in my pursuit of happiness, continued engagement with the InfoSec community and growth of my own business.

To be absolutely clear though, if you want to talk/DM/email with me about this topic then please do. If you feel the need to talk about your own struggles, or think I can help, then reach out, and I will make myself available to you as best I can. Depression and alcohol dependence is a an empty and lonely place to be, and if a kind word and a smile from me will help you then then don’t hesitate. You should also speak to a mental health professional as well of course, as you would have to be very unwell to think I am your best route to happiness!

Thank you to everyone who has shown support, love, compassion, empathy and friendship since reading my story, you know who you are, and I send it all back times three thousand


RSA 2019, and women finally had to queue for the toilets…

If the streets of San Francisco are becoming more cluttered as the homeless problem gets worse year after year, the conference itself seemed to take a clear shift towards a more friendly and inclusive event.

The redesign of the conference wasn’t just limited to the Moscone Centre itself. To be sure , the revised layout meant even more vendors could be squeezed in (where do they all come from?!) and we could find ourselves utterly lost on the expo floor as it was no longer clear if we were in the North or South hall, and what direction we had to walk in for the West hall when we finally emerged, blinking into the weak Californian sun.

This redesign, if it can be called that, came across to me in two distinct ways, both of which are areas that are close to me. Sure, the talks were good, the Keynotes interesting (if occasionally sponsored), and the overall organisation was excellent. But the two areas I thought that stood out were diversity and wellness.

Of course, the more cynical of us will say that it was just a move that RSA made to keep the haters quiet and the ticket sales up, but it really did feel like a corner had been turned here. That is not to say they did it first, as there are thousands of events around the world that are supporting diversity and wellness, but to see it done at this scale is what made it stand out. RSA is undeniably a commercial conference, and many parts of the infused echo chamber deride it for being so, but it is also a litmus test of how the industry as a whole is performing.

 

Group_Male_Executives1

Therefore, seeing the demise of the all male panel (or “manel” as I heard it described) and seeing broadly balance panels, and a larger number of talks fronted by women is the direction that the community has been pushing for years. It takes effort to redress a balance like this, but when it reflects is a high profile show like this the benefits are greatly increased. As a direct result of this, my unscientific method of just using my eyes showed me there was a greater number of women attending as well. (I think I even saw a queue for the ladies toilets at one point as well – now if that isn’t scientific proof i don’t know what is). This greater balance is better for all of us in this industry, however you look at it.

As for wellness, I counted at least three sessions on the impact of infosec on mental health, including one keynote. I was informed just today that a straw poll found that 14% of CISOs found the stress of the job “unbearable and unsustainable”, and the associated decline in mental health a very real cause for concern. Our toxic mixture of being measured on failure and the requirements for us to 24×7 “keep secrets” means none of this reported or addressed, and people are suffering. Seeing this addressed by senior and well known people in the field in an open forum can only mean good things and result in better health overall.

Let’s be clear, diversity and wellness are still in the early stages of being addressed, but being addressed they are, and if more shows and conferences like RSA can continue to push the agenda, then the information security industry will become a friendlier place.

Let’s not forget (Will) Wheaton’s Law that applies to all of us here, and a mantra to live your personal as well as your professional life by:

“Don’t be a Dick”.

I was also involved in some media coverage, mainly because of the very fine folks at ITSP Magazine. I helped with a daily wrap up report and an end of show report as well. You will not I hope, dear reader, have missed the quite excellent T-shirts I happen to be sporting…

Thursday’s update was so good, we even did it twice ; if you ever get to meet Sean you can ask him why…

Selena, Marco and Sean did a fantastic job summarising every day, as well as carrying out a slew of other interviews and update. Please do check out their magazine and subscribe, i promise you won’t be disappointed.

I also did an interview with Matthew Schwartz of ISMG, under thier Bank Info Security brand. It focussed on wellness and mental health, and has yet to be published (if at all). This was an interesting choice for me as I do not wish to become the poster boy for this topic, but given the wholly positive response I have recieved from people who not only are affected by the issues I raised, now feel “safe” to talk about them, it is hard to not talk more about it. I have no doubt I will be talking more on this, so I guess i will have to hone the message more to not just get the point across but also avoid being placed in this niche itself.

Hopefully that interview will surface as Matthew is a wonderful interviewer and friend, and he helped tell the story in a very compelling and sensitive way.

Finally, i had the opportunity to knock around RSA with my old mucker Javvad. We absolutely did not plan any filming, and I absolutey did not help him script his film, or even hang around hoping to be filmed. But as luck would have it I happened to be in the right place at the right time to be interviewed.

In it I opine about the huge amounts of negativity aimed at vemndors during RSA, even hearing some commentators refer to it as a “vendor wank-fest” which is both disingenuous and frankly a somewhat disturbing image to conjur up. I will leave you to watch Javvad’s thoughtful film on the topic of vendors, suffice to say that without them we wouldn’t have half of the community we have now.

And then the week was over in a flash. Diversity, wellness, toilets, faulty microphones, vendors and filming, all wrapped up in a blog post, films and a bunch of fun memories.

<edit> Typos


A Lot of Talking…

One month in and (TL)2 Security seems to be attracting a fair amount of interest which is very heartening. What I am not used to however is projects just disappearing. In my old day job, if i decided to pursue a project we got onto it and did it until it was finished or I decided to abandon it. In my new world that decision is not up to me and so a number of leads have, as is the normal course of things, just gone cold on me.

It is, to say the least, very disconcerting, and I have a new found respect for salespeople as a result. Who knew I would be uttering those words today?

That said, I am also keeping busy preparing for two big speaking engagements coming up:

One Identity UNITE Conference, April 1 – 4 2019

This is a new conference for me, and one where I am doing the closing Keynote of the main conference on Wednesday 3rd April.

A closing keynote is an interesting one to do, and I discussed this with the organisers in a preparation call; the delegates will be tired and need buoying up , the message needs too be uplifting and inspiring, and does not need to be technical or even a core message from the conference.

To that end I will be talking about trust, why it is important, how we lose it and what to do when that happens. Trust is key in IAM, not least because it is a fundamental tenet of uniquely identifying someone under the auspices of the authorising them to a system. But it also matters as we continue to gather more and more details about people in order too ascertain their identity in the first place. I opened a business bank account recently and had to take a photo of my passport to be uploaded in order to be correctly identified. I have to trust that that bank will not lose my passport details or sell them on, and if they do, what are they going to do about it?

Wednesday 3rd April: Won’t Somebody Think of the Users? – Auditorium

I am looking forward to the conference, and while it is driven by a vendor for its users the agenda looks to be very engaging across the board. Any vendor that avoids selling directly during events like this is always OK in my books!

card_57bae26a3ac5378b4433ffaf300bdf12

European identity & Cloud Conference, May 14 – 17 2019

I have worked with Kuppinger Cole at this conference (and a couple of their other ones) since 2014; they put on a fantastic show with great talks, and a wide range of workshops and topics. The setup is very professional, and the staging and production vales are very high. As a speaker it is an absolute pleasure as everything is taken care of, your requests are taken seriously and they do their best to make the environment as easy as possible to work in.

In my experience, most conference organisers will focus mostly on the attendees; after all they are the ones that are playing to attend. Speakers are often bundled around, ignored until five minutes before we are required, told we have to use their Windows XP laptop with Powerpoint 2011 on it, and then quickly forgotten about.

Not so Kuppinger Cole. Given I have spoken at their conferences some five times, and enjoyed every part of it means not only do they like what I do, but I also like what they do. To be fair, they also like to get the value for money out of me so I am going to be presenting one keynote and then involved in two other talks:

Tuesday 1§4th May: Facing the Post-GDPR Reality – Auditorium

Wednesday 15th May: How Traditional IAM Will Change Within the next 5 Years – ALPSEE

Wednesday 15th May: Panel: Anonymisation and Pseudonymisation – What Is It and Why Does It Matter? – AMMERSEE I

What I also like about working with Kuppinger Cole is that these are the titles they gave me. I could change them if I really wanted, but as they stand they challenge me to create interesting content and take it in a direction i may not have originally though of.

Ultimately, what I am saying is come and see my talks as i will be delivering with a smile and from a good place (not just the stage), and in fact every speaker will be doing the same. Come and see the difference a happy speaker makes at a fabulous conference!

 

 


Opening a New Door of Opportunity

As many of you have worked out by now I am no longer in full time employment and have decided to open the doors on my own business; I give you (TL)2 Security Ltd:

tl2_square_colour_logo

Originally intended to fill a gap on my CV while I find a full time job, and allow me to take on work in the interim, I have been blown away by the interest in the services (TL)2 Security offers and thee immense goodwill from so many people. As I was building the website I decided to go beyond a simple one page brochure and expand it a little, resulting in a genuine sense of excitement that I really could make a go of this little enterprise!

As a result I am sat in an office in Paris having just signed my first contract for a couple of months of work. This isn’t just any work, this is an international contract no less! I am also pleased to say I also have other work lined up and getting ready for the contract stage and all in all I am feeling a little pleased with myself.

FIST-PUMP-BABY-THUMB

You can visit the official site at (TL)2 Security, and see the consultancy services on offer, but they broadly fall into two camps, namely strategic (vCISO, strategic advice & support) and Speaking (conferences, keynotes, brand advocacy). It is deliberately very broad at this point and plenty of grey area in between where I will no doubt take on work that is neither one camp or the other; I do have a mortgage to pay after all.

So please welcome (TL)2 Security to the world, incorporated on 25th January 2019, and the first contract signed exactly a month later. It was a difficult labour, and I am still finding my feet, but I am so very, very excited to help it grow up and become a force to be reckoned with.

As the well know philosopher and entrepreneur, Derek Trotter, once said;

“This time next year, we could be millionaires”


Drowning, Not Waving…

Last week I attended The European Information Security Summit 2019 and spoke on the closing keynote panel at the end of the second day. The topic was “Unacceptable personal pressure: How senior Cyber Security Executives safeguard their own mental health, and those of their teams”, and as a panel we were surprisingly open about our experiences. Afterwards a number of people spoke to us about how pleased they were that we had been open and honest about a subject that is so often swept under the carpet as too difficult to deal with or just plain embarrassing. I have also seen the LinkedIn articles written since get a huge amount of traction with every comment a positive and supportive one.

I briefly told my story last week, and so have decided to elaborate a little more to a larger audience here. This is not meant to be virtue signalling, or jumping on the bandwagon, but rather a message to everyone out there who has suffered in silence and felt they were the only one with these feelings. These are the “highlights”, and some parts of the story are just between me and, well me, but I am sure this will paint the correct picture.

My last role was challenging to say the least; as a  newly minted CISO I was tasked with building a security team from the ground up (again) in a large global organisation that was as politically charged as it was not interested in security. We did well, growing to over 60 people at last count before I left, and were considered a high performing team who collaborated and never said no. People enjoyed working with us and we took on more and more work and constantly delivered.

The cost though was an intense environment where my main role was PowerPoint and politics, and constant air support for the team. Combine a tough travel schedule and the global, always on element, I never truly switched off. That said, one of my mottos was “Work Hard, Play Hard” so evenings with teams, internal clients and their customers in different countries were long, hilarious and helped us bond even closer to perform even better. Frankly it was exhausting and my sleep suffered.

So I did what every self respecting professional does, and started to self medicate with alcohol. It was, for the most part free from British Airways and Hilton, or on expenses (see above). It wasn’t a problem as I had a good tolerance, was a happy (maybe even hilarious) drunk, and while stupid things were done, it only bought us closer and more effective as a team.

And it wasn’t a problem for a number of years… until it suddenly was.

2017 was a very difficult year for me. In that year I drank almost every single day to excess as a result. I would get up in the morning and carry on working until the end of the day and I would start again. I wasn’t an alcoholic as I didn’t need to drink 24 x 7, so that was OK. I also managed to spend thousands of my own money on nights out with friends and team mates, pushing myself seriously into debt. My anxiety, stress and depression were getting worse, but I was able to medicate for that myself, so no problem.

Then came Rome. I will save you, dear reader, from the gory details, suffice to say that at 5am on a Monday morning at the end of September I found myself at the top of a building incoherent with emotion, raging at the universe, and willing myself to jump off. I had lost my third phone that year from the nights entertainment, had driven myself further into debt and I just couldn’t do it anymore.

Thankfully, an ambulance turned up, I was talked down, hospitalised for a few hours and then discharged. With no phone, in a foreign country, no idea of where my hotel was or where I even was, I managed (in a complete blur) to get back to the hotel, call my wife, get to the airport and get home only to spend the next four weeks in the care of the NHS and my family, and off work.

The irony of my situation wasn’t lost on me; here I was, a successful, well paid, C-Level Executive, ostensibly well known and regarded in the industry, and I am clinically depressed and suicidal. Therefore to say I was scared, lonely and emotional would be an understatement, and I decided to make some changes in my life.

Two of those changes are of direct relevance here;

  1. I stopped drinking alcohol. I was classed as a Non-Dependent Alcoholic and as a result was tasked with cutting down my intake dramatically. I decided to stop entirely, a choice I would have considered unthinkable, even laughable, just a few months before. I haven’t drunk alcohol since, not because I can’t allow myself to, but because it simply isn’t an important part of my life now.
  2. I decided to be more open about my mental health issues with not only my family, but my friends and work colleagues, and address them proactively.  I was not going to be defined by this event and lifestyle change, and I also wasn’t going to be held to ransom, mistakenly or maliciously, by the events I have just disclosed above. I have yet to discover anyone who I confided in who was at the very least supportive, if not understanding, be they family, friends and especially my team.

There is of course a damn good reason why I am sharing this with you. What follows is my takeaways for everyone who read the above and felt it resonated with them even just a little.

  1. Alcohol is a bad way to treat yourself for anything longer than a few days. Talk to a doctor or therapist sooner rather than later and save yourself a life threatening event to wake you up.
  2. There is no stigma in sharing your mental health struggles. I am constantly amazed at the overwhelmingly positive response from everyone I talk to about my personal experiences. If your friends and colleagues are not supportive of you, perhaps you should question why you are in the state of mental decline in the first place.
  3. If you work for a good company, and/or have a good team, your time out of the office will be dealt with and accommodated for allowing you to recover. When you come back, you will do so with more energy and vigour than most other members of the team. If you are not being supported, see point 2.
  4. If a member of your team is struggling, you don’t actually have to do much to help. Communicating to them that they should take whatever time they need to address their issues, and not asking questions is all that is needed. If your team can’t take up the slack, then how are they going to cope during an incident anyway?
  5. Be supportive if you can; it is difficult, but even small gestures like gifts of tea and chocolate (you know who you are…) or staying in touch over instant messenger to make sure someone is OK is also a great way to show your support. Humour helps too.

I’m going to close this with a call to action. This isn’t some virtue signalling programme that I will front up on Twitter and Facebook, but rather a call for everyone to include mental health topics in their team meetings, their management reports and metrics, as well as face to face meetings. The financial losses to our industry are probably staggering because of mental health issues, so we should be tracking and probing on it in our organisations as much as gender or racial diversity.

I want to reiterate, again, that if you are feeling it, someone else is feeling it too. Now you know what I have been through, I hope it means you now you have someone you can reach out to as well, or have to courage to seek help and support when before you didn’t.

As for me, I have never been better these last 18 months or so. I sleep better, I work better, I manage stress better, and I am pretty sure my jokes are better too. Therefore, I leave you with this unattributed quote:

I wouldn’t recommend suicide, it’s bloody dangerous. I nearly killed myself…

 

Note: I am going to be at the RSA conference in San Francisco in a 
couple of weeks time, as well as at a variety of other conferences 
over the coming months. Please do say hello and let me know your 
thoughts on this topic. Should it be as mainstream as I suggest, 
or should we just stick with the stiff upper lip approach?
Can and should we be doing something else?