“Maintain a positive relationship with the risk of oppositional forces acting against your interests that is agile in bringing appropriate resources to bear and independent of change, complexity, escalating pressure, technology, business strategy changes, and specific oppositional actions across all elements of your value chain while minimizing the involvement and role of dedicated security personnel and technology in achieving that relationship and emphasizing the role other business elements play in introducing and managing cyber risk. ” With maybe less awkward wording (it’s really bad), what do you think?

And, some (very incomplete) thoughts on problem spaces which need work to do the above successfully (possibly, problem spaces to be solved to derive tactics?):

  • Identify *specific* manners in which decision making across the organization defines (not just affects) security
  • Enhance ability to express coherent business-security policy through technology sustainably, effectively, efficiently
  • Limit knowledge, skill, time required to do all of the above
  • Integrate perspectives across national enterprise (i.e., soften/remove classic business boundaries)
  • Effectively link human and technological systems into a common system which can be spoken to by a common policy
  • Identify and measure indicators which provide visibility into non-security organizational behavior that results in desired security state independently of security-specific activities
  • This is an event reporting format I played with at EnergySec. It’s meant to capture specific detail while at the same time clearly conveying areas of concern quickly and to less technical audiences. It is a non-standard format and does not attempt to play with other efforts at all, but I thought maybe readers might get something out of it.


    So, since several people who haven’t had a chance to hear me go on about it in person have asked (in concern) about my “Hey, I’m going to be indefinitely and intentionally homeless starting in August, yay!” posts (most notably my dad heh), I thought I’d explain a little (if still not enough) here:

    By August 1 I will, for all intents and purposes and unless something WILDLY unexpected blows up, have absolutely no obligations whatsoever beyond my job, which will by then be location-independent (for awhile). I’ve never actually, as an adult, not had obligations. Most people haven’t and it’s kind of a neat opportunity. I’d be terribly remiss (and a bit chicken!) if I didn’t take advantage of the freedom while I have it, so I’m going to.  I’ve mentioned several possible scenarios, but the main point is that I’ll really, with the exception of August, leave absolutely every possibility open until the last minute.  For example, I REALLY want to go back to Phnom Penh in Cambodia. I Loved that city. But I also want to bike/hike/camp around for a bit. I’ve been meaning to for years, I had SOME plans last year which fell through because of gout primarily, so why not now? Etc. Etc. Etc. What would YOU do if you didn’t have to be anywhere in particular for a year or longer? Not “sit in a perfectly typical looking apartment in a city you’ve lived in for 10 years” probably. Well, I wouldn’t. I won’t! But I won’t know what that looks like till I get there. :)

    I also want to take some time to develop some of my art and explore some other potential career options…I’ve developed some skills that could turn into an actual NON-computer career if properly nurtured…and god knows I’m sick of looking at freaking computers.  But, that said, within my career space – specifically cybersecurity – I’ll not only still be running workshops, training, and writing for Energysec (who are awesome) but I’ll also be VERY MUCH AVAILABLE for independent strategic cybersecurity consulting, workshop participation & conference speaking, training, and writing gigs that fall outside of Energysec’s scope.  I can travel to you. :) Email me? My quality is high, my rates will be low <smile>.

    I realize that there are plenty of cliche’s about “going to find yourself”, but this is significantly more concretely and specifically driven than that.  For example, I genuinely don’t like living in one place, in one apartment. It’s claustrophobic for me. So, I’m not going to if I don’t have to.  At least until I get bored or something external forces me to stop. I might write up something longer about the internal motivations, but for now I think you get the idea.

    Sooo..that all said, what are my concrete plans? Here’s a schedule of what I know:


    EDIT FROM OLD: These Plans Have been Updated (Although Remain Thematically Similar). See: http://homelesshackerclub.org/2014/07/30/sintixerr-introduction-part-i/

    Imagine that:

    • Cybersecurity is a never-ending chess game
    • Your pawns are your cybersecurity capabilities
    • Your named pieces are the rest of your business capabilities
    • Your infrastructure is only the board and provides no inherent (or strategically relevant) defensive capability
    • Your business is controlled by those pieces on your side of the board
    • There are many players – nations, criminal gangs, auditors, competitors and others
    • Their goal is control of your business by outmaneuvering your pieces, not taking them
    • These players’ infrastructure is also part of the board
    • You can’t always identify who made which move or whether a move was made at all
    • Your competitors cannot lose
    • You cannot win, you can only either limit the amount of time your competitors control your side of the board or convince your opponents to invest fewer resources in the cyber game
    • All past, present, and future APT1 activity is a single move by a single player
    • And this chess game connects to all of the non-cyber games as well


    China: My move is to use my military to employ semi-autonomous actors in an ambiguous way that will look like they’re just going for the 3rd row of the board, but I hope you won’t notice that it’s really to tie up your pawns (security capabilities) and misdirect/abuse your named pieces (business capabilities) in a way that will allow my other pieces to reach your side of the board in 2 moves so that I can influence your business’s behavior in a way that will create LONG TERM economic instability in an area important to the other geopolitical chess games I’m playing”


    APT1 is a tactic – a means to a larger end. Whether China breaks in to a given piece of infrastructure on a given day in a given way is irrelevant. Similarly, “regularly and consistently apply patches” is a tactic  – a move – with a pawn (the security capability) that may have to move differently later (revamp patching) to counter oppositional moves. This is as independent of a given system/vulnerability combo set as is the Chinese-Ops-Capability when they decide to engage in APT1 activities over time (a single move) to create space for Chinese-Secret-Capability to make a “utilize sabotage activities” move if it needs to. A good question to ask here is what are your named pieces doing? (Your CEO’s, your COO’s, your CFO’s?, your sales teams? your marketing teams?) Are they pro-actively being used to strategically minimize access to your side of the board, or are you relying on the limited tactical strength of your pawns (security capabilities) to do all the work?

    It’s worth noting that the competition isn’t trying to break into your infrastructure, it’s trying to strategically create value for itself from your business using your infrastructure over time.  Individual attacks (past or potential), attack mechanisms, and even technical vulnerability classes are not meaningful in terms of the kind of risk management required to inform strategy at this level. Here, under these rules, the things we do, both technically and from a risk management perspective, become very different.  Instead of saying “Ok, we need to protect against….APT…..and we need to protect against….the possibility of a DDOS attack…”, we should instead be asking  “how do we optimize decision making in a way that will minimize the ability of others to manipulate our business in the most sustainable, cost effective way?”

    And that leads to…that thing everyone says we need but can’t articulate in concrete terms: sustained strategic resilience :)

    So…ask yourself:

    How well is your organization playing? Does it even know these are the rules?



    Here is the actual slideshow from the #NISTCSF Webinar I did:

    Download it here:


    The recording of the webinar is here:


    If you’re not familiar with #AmtrakResidency, check it out here: http://blog.amtrak.com/amtrakresidency/

    It’s basically a new program to give a number of people a chance to ride Amtrak for free and “write”.  Since I was in high school I’ve been encouraged to go somewhere and write about my life for awhile (a high school guidance councilor even offered me an empty cabin in the woods once I graduated to do so – but it didn’t work out).  I’m not sure I’m what they’re looking for, but maybe? Here’s what I submitted:

    Why do you want an #AmtrakResidency?

    I am a hacker, an educator, a writer, and an artist.  I am a past and future vagabond, a drinker of Unicorn Tears.  A high-school drop out, I was recently invited by name to a White House event.  I’ve traveled the world, been to a cult gathering, and I just donated my house to charity because I could.  An ex-altar boy, I’ve held a government security clearance while in jail in Los Angeles. From mansions to a trashy punk rock hacker compound, my only reliable home has been my backpack.  I’ve lived a life ranging from “the pool is on fire” to “absolute corporate monotony” and a childhood coast-to-coast ride on the Amtrak Sunset Limited changed my life.   In August, I’m giving up the life I’ve built for awhile to pick up my backpack and get back on the road and write about it all.  I think the Amtrak Residency would be a fitting addition to the story and a perfect environment to help make it happen. I’d like to wander on a train again and I appreciate your consideration of my submission.

    How would this residency benefit your writing?

    While I do have concrete plans to get on the road in August – including a stint at a mega-hacker conference in Vegas, Burning Man, and an art project in Phoenix – those plans do not yet include a specific means of transportation (or even further destinations). I was just going to wing it.  If I’m accepted to the Amtrak Residency, it will give me the time and space to collect my thoughts and frame my experiences into something I can share with the world.  I have never been confortable too long in one place, but life on the road will offer few opportunities as peaceful, beautiful, and calm as a ride on Amtrak. Further, I think residency would make a compelling bookend to my teenage trip on the Sunset Limited and provide a strong foundation for the story I would like to tell.  Moreover, and perhaps most importantly, I have primarily been writing “business” articles and am hoping for stimulation to switch to a more creative outlet.

    Writing Samples (They were better formatted in the actual submission!)


    As I look

    from this god’s eye view

    I can feel the tides that pull at you

    that tease your skin

    the way they make you run

    and crawl a million years

    Angles fraught in silence

    kisses on the edge of violence

    weeping copper tears

    delicate wrought past tense

    I can feel the tides that pull at you

    that break your bones

    the way they leave you jagged

    sharp to cut men open

    As we fall

    From this god’s eye view

    (Written looking out at the U.S. Southwest Desert from a plane)




    Turning around and aroundwith light steps happy smiles

    that cover the walls

    and that plaster the doors

    with a cracked-white-mask

    that has fallen to the floor

    staring up and around

    with its cut-broken-eyes

    looking up to the ceiling

    that wants to be free

    to dance and to twirl

    and to smiile so sweetly

    and to hope and to pray

    and to believe! but not really

    she said

    a cup of sugar

    but I disagreed

    as I spoke to the angel

    who had risen above

    from a crook in the wall

    to the toys down below

    burning for vengeance

    they were never at all

    said the horse to the mask

    with his grin into pieces

    rest never in (heh) peace

    but laugh all you can


    he saida pinch of nirvana

    closed in your hand

    twisted and pouring

    as the alligators ran

    from three mirror windows

    all shattered and burning

    emerges a picture

    of the world slowly turning

    I said

    Today is the day of the rainbow bend

    Where the months come to gather…

    And the seasons share friends.


    (Written while trying to graduate from high school after dropping out)



    Not long ago, after a night of drinking, I came home and tried to throw my bed – both mattress and box springs – into the dumpster. I wanted them gone.  I wanted to sleep on the floor. I needed the minimalism.

    Luckily, I passed out before I could do any damage and a cooler perspective prevailed in the am.  Still, this was part of a longer trend and a real enough impulse that if I had remained conscious, I really would be sleeping on memory foam alone now.

    I can’t say when it started, but I have been shedding material possessions for some time and lately it’s reached a frenetic pace. At this point, in a two bedroom apartment, the only furniture I own includes:

    1 mattress and box spring, 1 loveseat, 1 bookshelf, 1 small side table, 2 metal tv stands from IKEA, 1 small metal stand of drawers, a foldable chair, a treadmill, a treadmill desk, and a bowflex.

    My kitchen pots and pans aren’t even that. I have one pot, one pan, a rice cooker, 2 spatulas, 2 cutting knives, and disposable utensils. I do not own a microwave.

    My book collection has been reduced from “a hundred” to “tenish”.


    The point is, I don’t have much stuff. Other than the exercise equipment, it could all conceivably fit into a studio apartment.

    And I am having an absolutely outright panic attack over it.  Still.  After giving or throwing away thousands of dollars and thousands of pounds of stuff.


    As my spring “event” approaches, I realize more and more that I’ve failed to control my environment and let it control me.  I have abdicated throughout my life, whether through intent, accident, biology, or character flaws, control of myself.  As I’ve allowed myself to be shuffled down the path of least resistance (perhaps in the manner of L’etranger ), I have put myself in a corner that I do not know how to get out of.  And, in a nonsensical attempt to reduce this complexity enough to claw my way out of the corner, I’ve given myself a sort of Phobia of Stuff.

    This might seen shrug-worthy to some, but it’s really not. Not to me.  It’s just hard to explain the tight burning horrible ball of bunched up mental and emotional stress that “owning things” creates in me – or what it feels like.

    I keep thinking that if I can get to a point where I can name, from memory, every single object I own, then maybe I’ll no longer feel crushed. At least not by the weight of this one aspect of my environment.  My life choices at any given juncture will not be constrained by physical baggage. I will be more free.

    Right now, though, I have a conundrum.  I’m sitting on that 1 love seat (a beautiful white leather one) surveying my apartment and mentally listing all those things I must have vs those I merely think I want and it’s HARD.  I mean, what the fuck do I really need with that ripped paper lantern I picked up in Vietnam? Or an electronic keyboard I’ve played 3 times in 5 years?  I don’t. I have no need. But still, here we sit staring each other down.

    It strikes me as curious that, although I’d been willing to give up these things to real death earlier on in my life, I’m still clinging to them now as I march on toward another kind of end.  I don’t know why that is.  But I do know that eventually I will let them go.  If I can’t bear to give them, sell them, or trash them, then I will burn them.  The detritus of my life will not be left to litter the future.

    IGNORANCE IS BLISS (How cyber risk management succeeds)

    I’ve seen people fly, I’ve seen birds fly, I’ve seen a horse fly, I’ve even seen a house fly, but I’ve never seen an organization fly. And, as silly as it might seem, this really does have significant implications for managing cyber risk – especially when we look incredulously at the many public compromises and wonder “why does it keep happening?”.

    A good way of approaching that question is to look at where cyber risk management is “succeeding”. Succeeding? Yes! Cyber risk is, in fact, being managed – and quite well! If you doubt this, you might need to ask yourself important questions like “Which risks are being managed?” and, more importantly, “Which risks to *whom*?”

    What I mean to say is that, while organizations can have an effect on the world around them, they can’t actually be seen or touched. They’re not tangible and they can’t…”fly”. Instead, they are the conceptual sum of the many varied decisions of individual people. These conceptual sums are inanimate; they cannot – and do not –feel risk. Instead, it is their executives, owners, employees, and customers who feel risk. Their soft squishy human hopes, dreams, passions, fears, biases, moods, and biochemistries ultimately drive organizational “risk tolerance” and we should never forget it. Here, it’s crucial to understand that people almost exclusively put risks to themselves ahead of all others (including an organization’s).

    So, then, if the “collective” risks to individuals do trump all else, where do we look for ownership and resolution?

    Well, some would say “users”, but do “users” (or “individual performers”) care more about meeting their boss’s expectations or saving the intangible organization from invisible adversaries and hidden costs without direction? Probably the former.

    Further, while “the bosses” who set these expectations might see that the cyber problem exists, their primary risks resolve around meeting their own senior leadership’s expectations as well.

    Ok, but isn’t IT Security key to cyber risk management? Not really. IT Security, like any other group, must align themselves with their senior leaders’ and executives’ priorities. Without that alignment they hold no sway or effect.

    So, then, it’s on Executives. Senior leaders, what drives your risk appetites?

    I ask because cyber risk management is a hard problem. Aren’t you safest if you follow best practices and “buy Cisco”? Ultimately, if you do and your organization gets compromised, what happens to you? Most likely very little – you did your best after all. Is it even in your best interest, then, to know cyber is a hard problem? If you’re aware that best practices have been failing like communism, aren’t you then obligated to come up with solutions of your own? Wow. No way. It’s best to believe the hype; best to buy Cisco; best to keep transferring the risk.

    Intentional ignorance (or lack of “awareness”) isn’t just bliss, it also reduces risk to those people directing organizations and dictating the priorities of their human building blocks.


    About Me

    Jack Whitsitt

    Jack Whitsitt

    National Cyber Security. Risk. Multi-Dimensional Rainbows. Maker of conceptual lenses. Artist. Facilitator. Educator. Past/Future Vagabond. Drinks Unicorn Tears.

    Follow me on Twitter

    My Art / Misc. Photo Stream






    More Photos

    Get every new post delivered to your Inbox.

    Join 36 other followers