Red Cross Volunteer Gives Back as Service to Armed Forces Resiliency Volunteer

There aren’t too many people who have become modern models for dolls produced by the American Girl company, let alone women who have had a long volunteer career with the American Red Cross. But Dorinda Nicholson – the real-life archetype behind the Nanea Mitchell doll – is very much a true story of grit, determination, and turning her survivor’s story into one of exceptional service wherever she goes. I recently wrote a profile of her for our local chapter blog.

What becomes a great leader most?

I keep returning to this meme because it just sounds right. I was reading one of Mark Cuban’s Tweets (or whatever they are now called) last week where he was riffing on qualities he looked for in a great leader. Now, he was talking politics, and I want to remove that context for the moment, because what he is saying has larger implications.

Leadership is something that I am somewhat familiar with: I have run numerous publications over the years, usually as editor-in-chief where I had to hire the staff. Back in 2012, I was selected to a special leadership training program with a cohort of 60 others, drawn from various organizations here in St. Louis. My wife was selected for an earlier cohort and encouraged me to apply, and it was a fantastic experience. I got to meet business, government, and non-profit leaders as they spoke to our class. We tackled some pretty thorny issues and had some amazingly frank discussions, and formed many  enduring friendships.

Cuban’s list gets to the core of what becomes a great leader most. His thesis is that a great leader is someone who he would hire, and understand and appreciate their values. He breaks this down into several categories, with the overriding aspect whether they are lifelong learners, especially in a world that is constantly changing. Being one of these learners, I never really thought that was necessary condition, but as I think about the best leaders that I have known and worked for over the years, I would agree with him on this and the other items on his list:

  • Will the subordinates who worked most closely to this leader come back to work for them in subsequent jobs?

I am proud to say that I have hired several people multiple times over our careers. This is an easy one to spot: the same crew follows a great leader from posting to posting. I wrote about the original crew that I worked with at PC Week back in the mid-1980s when Sam Whitmore, one of the editors, said it was like being in the Beatles. I once wrote about this group of five guys who have started numerous companies over a 20 year span as an extreme example of this.

  • Does this leader take credit or give credit to others?

I have had some really lousy bosses who were credit stealers. And some great bosses who wouldn’t hesitate to give credit where it was due. Another easy one to spot.

  • How a leader treats people who can do nothing for them.

One of the aspects of leadership that I have enjoyed most is developing someone’s skills and having them leave my operation and go on to do great things. I can think of several people that I hired that have blossomed and had amazing careers, and I like to think that I had something to do with that. But that is more a condition of being a great mentor, rather than buying your way into what Tom Wolfe once called “the favor bank.” Wolfe used the concept as a way to build relationships of trust, but it can also go awry if abused.

  • How does a leader handle the criticism that comes with the job?

If you have a thin skin, you aren’t going to last long in any leadership position. You have to roll with the punches.

  • Does a leader hire their staff for loyalty or ability?

This is harder to spot, because sometimes you don’t realize the loyalty connection until it is too late. With one job, I got fired because one of my subordinates was more loyal to my boss than to me. With another job, I eventually quit because this loyalty connection was undermining my ability to lead my team.

  • Does a leader create stress or reduce stress for the people around them?

Another easy one to spot. I wrote about this situation a couple of years ago when I suggested it was time to fire your jerk boss. At one publication where I wasn’t in charge, our leader was really great at creating chaos and pitting one staffer against another, just to see who would triumph. There was always a fire drill, and the fires were always five alarm ones too. It was like everyone had PTSD, it was so stressful. Conversely, a great leader will do the necessary blocking and running interference from their bosses, so the staff is insulated and get the actual work done. This goes hand-in-hand with how a leader handles criticism.

Thanks Mark for such words of wisdom.

Dark Reading: NIST’s Vuln Database Downshifts, Prompting Questions About Its Future

Since 2005, the National Vulnerability Database (NVD) has been posting details about the hundreds of daily common vulnerabilities and exposures (CVEs) discovered by security researchers from around the globe. But last month, the critical government-sponsored database went from being an essential tool to a nearly dark destination. That is when any details in the NVD have been omitted, details that make the vulnerability data useful to enterprise security managers and to the numerous vulnerability management tools that can help prevent potential damages from attackers. My story in Dark Reading tells this sad tale.

A voyage of personal discovery set in the high Sierra town of Cerro Gordo

 

One of my guilty pleasures has been watching the videos of Brent Underwood, a 30-something dreamer who for the past four years has been living in the high Sierra ghost town of Cerro Gordo and filming a series of videos for his YouTube Channel. There is now a book that he wrote about his experiences.

I am a big fan of what he is doing, not that I would want to uproot my very comfortable life in St. Louis and move to a place where there is hardly any running water, where you are at the mercy of massive weather systems that can flood or block a torturous eight-mile dirt road for days at a time. A place that is a study in contrasts: at one point, the town’s mines were responsible for creating great wealth in extracting silver, zinc and lead deposits, yet like Ozymadius, very little remains of the town apart from numerous abandoned buildings and lots of memories of the thousands of its former inhabitants.

What resonates with me about Underwood’s personal journey is that he is very honest and articulate about his experiences. The book captures more of his philosophies and musings about human nature. These don’t really come across in the video episodes, which usually center on various construction challenges or averting near-disasters as he is snowed in, flooded out, or at the mercy of contractors that decide to not show up for a promised work session.

Some of these events have been heart-breaking. The old American Hotel, once a centerpiece of the town, burned down at the height of the Covid pandemic. Rebuilding it has required immense quantities of concrete, steel, lumber and water that needed to be trucked up that dirt mountain road and put in place with dozens of volunteers who came to help out the effort. The floods that hit Death Valley also took out the town’s access road not once but twice in quick succession, as the road follows what is normally a dry wash through the mountains and was transformed into a raging river. And the town’s main water source is a creaky Rube Goldberg collection of antique spare parts that is connected 700 feet below ground inside one of the mine’s tunnels. Any one of these things would have sent a normal person heading back down the mountain to seek some less challenging life, but Underwood persists in his quest to bring the town into the modern era.

Underwood often gives himself various challenges: how to operate a backhoe, how to refine silver from the raw ore-bearing rocks he digs out of his mine, how to build a deck from scrap 140-year old wood that has been exposed to the elements, learning how to create a successful video series. “Mastery comes from learning a variety of skill sets and combining them in a way nobody else can,” he writes in his book, which is a theme that I realize I also live my own, somewhat less-frantic life. “I was learning what I loved and learning how to make a living doing that.”

One of the main characters in the book is an elder named Tip who has a great deal of knowledge of local lore and takes Underwood under his wing and share his perspective. Along the way, Tip helps him unlock many of the secrets of the town and its environs, and helps him learn more about himself in the process. Their relationship is astounding, given that many of the  lessons learned happen on the steep cliff sides of the Sierras and hundreds of feet underground as they try to navigate the century-old caverns and tunnels.

Tip is taciturn and dying of cancer but his Jedi wisdom seems to be delivered to Underwood at just the right moments that can be appreciated and where he can learn some important lessons. But unlike the plot lines of numerous movies, this is real life, wrought large at 8000 feet.

Dark Reading: 5 Ways CISOs Can Navigate Their New Business Role

CISOs can successfully make their business operations more secure and play a larger role in the organization’s overall strategy, but there are pitfalls to avoid.

According to Forrester’s recent security program recommendations report, “the eyes of the world are on CISOs — but not in a good way. There is now a long list of sacrificial CISOs who have either been fired or left due to disagreements with their firms.”

Navigating what comes next isn’t easy, but in my post today for Dark Reading are five takeaways from Forrester’s analysis that might help identify some pathways to success.

Forget TikTok bans. Think about connected Chinese cars.

This week our Congress is crafting legislation to remove TikTok from our lives. It is as misplaced as Nancy Reagan’s “Just Say No to Drugs” campaign — and perhaps as empty a gesture. Yes, there are real issues with all that social media metadata ending up on some Chinese hard drive, and the notion that ByteDance can separate its US operations and clouds from Chinese ones shows how little our lawmakers understand technology.

Instead, I would like you to think about the following companies: Nio, Inceptio, XPeng and Zeekr. Ever heard of any of them? They are all major Chinese EV companies, and all of them pose a much bigger threat to our data privacy and national security than TikTok. By way of reference, China has hundreds of car makers, and they are all obligated to transmit real-time data to their government. Now they want to sell them here and are doing road tests.

Last fall, another bipartisan group of lawmakers sent letters to these and other Chinese EV makers, wanting to get more transparency about the data they collect on their cars . I haven’t seen the responses, but guess the truthful answer is “we collect a lot of stuff that we aren’t going to tell you about, and we have to share it with the CCP.”

Last week, the Commerce Department issued its own request and asked for public comments as part of its role to consider its own series of regulations. The department is investigating the risks of EV and other connected vehicles on national security and potential supply chain impacts of these technologies. Interestingly, it is finally acting on a Trump Executive Order. Another bipartisan effort. The document linked above asks for a lot of details about obvious data collection methods. If I were running a Chinese car company,  I would think about designing systems that would be less obvious. One of the things these Chinese car makers are quickly learning is how to become better software companies, thanks to the Tesla business model. (Tesla also makes and sells its cars in China BTW.)

While there are hundreds of millions of TikTok US users, some of whom are adults, the threat from car metadata is much more pernicious, especially when it could be paired with phone location data from passengers sitting in the same vehicle. What they both have in common is that all this data is being collected without the user’s knowledge, consent, or understanding who is actually collecting it.

Those phones have been recording our movements for quite some time, without any help from China. There are so many stories about tracking the jogging routes of US service members at foreign military bases, or tracking a spouse’s movements, or figuring out where CIA employees stop for lunchtime assignations near Langley, etc. But that pales in comparison to what a bunch of CPUs and scanners sitting under the hood can accomplish on their own.

Remember war driving? That term referred to someone in a car with a Wifi scanner who could hack into a nearby open network. That seems so quaint now that a car could be doing all the work without the need for an actual human occupant. I guess I will go back to watching a few Taylor vids on TikTok, at least until the app is removed by Congress. In the meantime, you might want to review your own location services settings on your phones.

Dark Reading: Typosquatting Wave Shows No Signs of Abating

A spate of recent typosquatting attacks shows the scourge of this type of attack is still very much with us, even after decades of cyber defender experience with it.

Ever since the Internet became a commercial entity, hackers have been using it to impersonate businesses through a variety of clever means. And one of the most enduring of these exploits is the practice of typosquatting — i.e., using look-alike websites and domain names to lend legitimacy to social engineering efforts. In my latest post for Dark Reading, I talk about the recent series of attacks, why they continue to persist, and ways that enterprise security managers can try to prevent them from happening, although the fight isn’t an easy one.

 

Dark Reading: NSA’s Zero-Trust Guidelines Focus on Segmentation

Zero trust architectures are essential protective measures for the modern enterprise. The latest NSA guidance provides detailed recommendations on how to implement the networking angle of these measures.

As more workloads shift to the cloud by businesses, there is more need to adopt zero trust computing strategies. But the notion of “untrusted until verified” is still slow to catch on, although in some areas of the world, such as in the United Arab Emirates, zero trust adoption is accelerating.

To try to bridge the gap between desire and implementation and also provide a more concrete roadmap towards zero trust adoption, the US National Security Agency has been publishing a series of guidelines over the past few years, covering device protection and user access. The latest one was released this week concerning network security.

My story on what this means for zero trust is in Dark Reading today, and it can be found here.

 

 

Dark Reading: How CISA Fights Cyber Threats During Election Primary Season

When US election integrity and security took center stage as a political football after the 2020 Presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is doing what it can to dispel security concerns around this year’s trip to the polls.

CISA, along with several other organizations, has beefed up various cybersecurity support resources for elections in general, including more programs for state and local elections officials, and for volunteer poll workers. In my post for Dark Reading today, I describe some of these efforts and explain the unique combination of cyber and physical security needs to ensure our democracy continues with free and fair elections.

When it Comes to Cybersecurity Practice, Don’t Be Okta.

I have written about Okta for many years, back when they were an upstart single-sign-on security vendor coming of age in the era of cloud access and identity. By way of perspective, back in 2012 (when I wrote that first Network World review when I gave them high marks for their product), most of Okta’s competitors offered on-premises servers and the cloud was more of a curiosity than a sure bet. Seems very quaint by today’s standards, when the cloud is a foregone conclusion.

However, you can count me now as one of their detractors. This is why my hed says when it comes to cybersec practice, don’t be Okta.

Let’s look at the timeline over the past couple of years. During 2022 alone, they experienced a phishing attack, another major breach, and had their GitHub source code stolen. Then last year they saw two separate supply chain attacks that affected most of their customers, along with leaked healthcare data on almost five thousand of their employees. And last fall yet another attack on MGM and Caesars resorts was blamed on a flaw in their software. It is almost too hard to keep track, and I can’t guarantee that I got all of them.

Some of these attacks were due to clever social engineering, which is embarrassing for a cybersec company to fall into. Now, all of us can have some sympathy over being so compromised, and I know I have almost fallen for this trick, particularly when it comes in the form of a rando text message that asks how I am doing or something that appears innocent. But still: Don’t Be Okta. Spend less time multitasking, particularly when you are on your phone, and focus on every message, email, and communication that you receive to ensure that you aren’t about to play into some hacker’s hands. Pay attention!

Some of these attacks were due to bugs in how Okta set up their software supply chain, or poor identity provisioning, or a combination of things. Okta’s CSO David Bradbury was interviewed over the weekend and promised to do better, rolling out various security controls in an announcement last week. That’s great, but why has it taken so long?

One weakness that was repeatedly exploited by attackers was Okta’s lack of attention when it came to provisioning admin-level users. They are now making MFA required for all customer admin consoles. They are also requiring passwordless access for all internal employees. It has taken them, what 15 years and multiple hacks to figure this out? Neither of these things are heavy lifts, yet I still talk to many folks who should know better who have resisted implementing these tools to protect their personal account logins. Don’t Be Okta!

How about better and more transparent breach reporting? Some of those supply chain attacks took months to figure out the depth, nature, and cause — and then for Okta to properly notify its customers. As an example, the September attack was initially estimated to impact one percent of its customers, before being revised to 100%. Oopsie. That doesn’t bode well for having a trusted relationship with your customers. The EU requires breach notification in two days. Was someone asleep or was management at fault for taking its sweet time getting the word out?

Buried in all the good cheery messaging from last week was this little tidbit: “As more features are rolled out in early access mode, the company intends to turn the controls deemed most beneficial on by default.” Ruh-oh. Turn them all on by default, right now! You want security by design?

Bradbury ironically admitted that security has never been a value historically for the company, and claims that almost half of their engineers are now working on security, apart from an actual security team. Just adding bodies isn’t necessarily the right move. Everyone needs to be focused on security, so I ask what are the other half of the devs doing that gives them a pass?

This isn’t the way forward. Don’t Be Okta! Take a closer look at your own security practices, and ensure that you have learned from their mistakes.