Chaordic Mind

There once was a boy who wished to be immortal.  It was not until much later in his life that he learned the implications of such a wish and how to handle it actually coming true.

On Becoming Immortal

As a young boy he enjoyed reading comic books and walking to the park where he spent many sunny afternoons staring up into the sky and imagining what it would be like to have each of the various super powers that he read about in his comics.  He would replay parts of his life in his mind and interject a super power into the story.  One day was invisibility where he could hide from his parents and listen to them talk without either knowing he was there.  Another day his ability to fly enabled him to escape the local bully or soar to new places around the world which he had until then only ever watched on TV.

Of all the super powers he would imagine it is immortality that fascinated him the most.  With the ability to live forever he could accomplish anything.  He could save up his allowance in order to buy things he now only imagined.  He could visit every place he imagined flying and never run out of time.  Even at an early age he realized that the most precious thing we have as mortals is that of time.

His desire to use his time wisely drove and motivated him.  He worked hard growing up, hustling when necessary, to get ahead.  He studied in high school to get into college and there to get a good job.  With a job would come money and with that more time to spend as he wished.  His master plan was set in motion and nothing would stop him.  Nothing until that one fatal day that would derail his carefully crafted plans and change the course of his life forever.

Discovering Immortality

It was a sunny day and he was crossing his college campus considering yet another option for optimizing his life.  Wrapped up in though and reading a book while walking (to save time), he didn’t notice the crosswalk said STOP, nor did he notice the bus headed in his direction.  A screech of tires. He looked up just in time to see the bus hit him at 35 miles per hour.

The next thing he remembered was coughing very hard as he gasped for air.  A bright light shone in his eyes and for a moment he thought about the afterlife.  Then a shadow blotted out the sun and he saw the face of a stranger asking if he was OK.  He had just survived being thrown 50 feet down the street and landing on his back.  People stood around whispering in amazement.  He scrambled to his feet and quickly ran off to escape the attention.

That moment introduced him to his own super power – Immortality!  Finally, he would have the time and eventually the money to do anything and everything he ever wanted to.  Happiness was close at hand and he wanted it all.

Discovering What Happiness is Not

Over the years he began doing everything he ever wanted to.

• Explore the Wonders of the World? Check.
• Lead tours of the Trans-Siberian Railway? Check.
• Become conversationally fluent in Mandarin? Check.
• Hitchhike around the world? Check.

He would immerse himself in various projects and hobbies until he had mastered them and then move on to the next, only sometimes staying within any one realm for a prolonged number of years.  Each day was another opportunity to do something new and become better at the current task-de-jour.

As the years went by he began to amass great wealth and with money came the ability to do even more.  He never acquired goods for anything other than investing and cashing out decades later.  Instead he used his wealth to access items and events reserved for the rich and powerful.

• Richard Mille 012 Tourbillion watch? Check.
• Driving a Ferrari down the Champs-Élysées during Bastille Day? Check.
• Invitation to the Bohemian Club? Check.
• Invitation to the World Economic Forum in Davos? Check.

The list of invite-only luxury events and items seemed as endless as the original list of must-do events he had planned before the money poured in.  It was still not enough.  He wanted more but since his super power did not enable him to be in all places at the same time he found himself missing out on opportunities.  He missed the Renaissance in Europe because he was exploring the Himalayas for a few years.  He missed the 60s in San Francisco because he was teaching English in Japan for 10 years.  He missed the gathering of famous and influential people throughout history because he simply wasn’t in the right place at the right time.

As time passed he learned that he could not be everywhere at once nor could he predict where “the” place to be would happen next.  It was like a surfer who wanted to ride each major wave around the world but never knowing where they would be.  The longer he lived the more his realization of his eternal tomb began to crystallize.  He had accidentally stumbled upon his childhood dream and now his greatest dream had become his worst nightmare.

Discovering the Internet

The advent of the Internet brought with it the possibility of infinite, ubiquitous, real-time information to anyone at any time.  This seemed the solution to all his problems.  The immortal could now know the exact moment of every major event and would never miss a historical or exclusive event again.  There is a saying that “The best laid schemes o’ mice an’ men…”

The Internet brought with it the ability for him to know where and when each event was but it did not make him an organic part of it.  Instead of expanding the number of experiences he could have it only expanded the number of moments he could experience as a sideline bystander.  Instead of being a part of a movement he was now only an observer, lessening each experience as he raced to see them all.  The Internet had not improved his situation it only decreased the signal to noise ratio – introducing a greater number of less valuable experiences.

Discovering Happiness

It is said that immortality does not provide a solution, it only prolongs the problem.  The power of immortality brought with it many wonderful experiences but took away one very valuable experience – that of growing old.  Most of us do not look forward to growing old but each stage of live brings with it special lessons that are hard to learn until you arrive at that stage.  All of our life we are looking forward to the next thing: our first date, our first kiss, out first sexual experience, our next job, our fashion, our car, our wallet, our retirement, our vacation, our life ahead.  It is not until we come close to the end that we begin to reflect.

Becoming old and closer to death enables you to reflect in a way you never have before.  It’s not about reflecting on a moment or a relationship or a job.  It’s a much more holistic reflection on our life and times.  We begin to experience a regret not of commission but regrets of omission.  While we were looking forward to the next item and stage in life, what had we missed?

Around 300 BC it was Theophrastus who first wrote in Diogenes Laertius that “time is the most valuable thing a man can spend.”  This phrase has been repeated in various forms for over 2000 years.  The question yet asked is, if time is the most valuable thing to spend then what is the most valuable thing to spend it on?

Many answer this with the three traditional virtues of god, family, country.  I challenge there is a more basic element that makes up these three and all the other items of purchase for an immortal, one with infinite amounts of the most valuable currency.

Experience.  It’s that simple.

Experience

I challenge that experience is the most valuable thing one can buy with the most valuable thing one can spend, time.  By this I do not mean the experiences one can buy with money like a roller coaster ride, airline flight, or guided travel experience.  By experience I mean those impossibly personal and intimate moments that you can only achieve through time spent with another individual, learning a skill, or living as part of a culture.  It very much is the journey, not the destination.

There was once a book wherein the main character went sleep walking every night and every morning he woke up not knowing what happened the day before.  He went to a doctor and said he woke up bleeding, probably from a fight during his sleeping hours.  Instead of trying to cure this he told the doctor that to him experience was the most valuable item, so be it a great love of a bloody fight, which he had never experienced before, he wanted them all.

Although I do not condone fighting I do think we should all consider how we spend our time, who we spend it with and what we spend it doing.  Are you making the most out of your time?  Are you leveraging it to maximize your experiences?  Consider for a moment that you do not need more money or time, but need to learn how to better spend what you already have.

I sometimes reflect on the most influential themes in my life and decided to list a few here.  Of the many people I have crossed paths with in life each has passed along some bit of advice or action that I’ve learned from.  Sometimes these lessons come by means of a message or characteristic that I want to emulate or avoid.  The following are three of the most critical rules by which I’ve learned to live.

1. Nothing is impossible, the impossible just takes longer

My Mom always believed in me even when there was no reason to.  Many times she would tell me that I can do anything I put my mind to.  She really had no reason to say this to me.  As a child she had never seen me accomplish something wonderful or amazing.  She did not base her beliefs on past experience and well calculated prediction models.  She based them on faith.

One day she bought me a t-shirts that read “future Nobel Prize winner.”  My mother is a woman of faith which is the only reason I can give for such action and belief.  Perhaps the only things parents ever can have is faith, but she repeated it to me so many times that even I began to believe.  I learned that always there would be people smarter, faster, or more creative than me.  It was that faith that gave me the secret weapon of brute force.

I would try longer, harder, and with more ferocity than others because I knew that I could achieve anything I put my mind to.  I am still of the belief that even if you do not know the right direction to go, it is better to run as hard as you can in the direction you think is right.  The faster you find the wrong path, the sooner you will turn around and run towards the right one.  Life is too short to ever simply wait and hope for the best.

Victory goes to those who believe in the impossible.

2. Learn the good, avoid the bad

I recall vividly driving to work with my Dad one day and he told me something in passing as part of a rare father-son moment.  He told me that I would come across all types of people in my life, but I would be most successful if I incorporated into my life the positive good they expressed and learned to avoid the bad.  That little talk may seem rather benign, and even writing it now sound like simple advice, but put into practice it can be a very powerful tool.

I believe that in each of us there is the ability for great good and great evil.  We express this in part by our actions or lack thereof.  I know that I cannot live a thousand lifetimes but I can learn from the lives of thousands of others.  I can listen to their stories, observe their actions, and learn to incorporate into mine the very best of each.

Call it the Highlander of social interactions, but it works.

3. Never stop improving

I once wanted to be a writer.  Not a blogger but a writer of books.  In my search I called people I knew who were great presenters and writers.  I recall pacing the hallway of an office building in Chicago when I called Richard Thieme and talked with him about my desires to become a writer.  He told me one very valuable thing.

“Never stop improving.”  He said that the moment you stop improving in your writing, or any domain for that matter, is the moment you might want to consider moving on to a new one.  I believe he is correct.  I believe to stagnate is to die the slow and painful death of mediocrity.

Genius vs Insanity

Remember that the line between genius an insanity is short, but so is the line between good and great.  Many people in this world are good at what they do but so very few are truly great.  The reason for this is not because they lack the skills but because the refuse to apply the skills.  The reason people do not become great is because they think is impossible, they do not learn from others, or they simply give up.

Begin each day by asking yourself if today is going to be a good day or a great one.

“And those who were seen dancing were thought to be insane by those who could not hear the music.” – Frederick Nietzsche

A friend of mine and well known expert on the PCI standards, Branden Williams, blogged about “Does PTS apply to ATMs?“  For those of you still reading that question, PTS stands for PIN Transaction Security and was formerly known as the PIN/PED program.

The important question is which standard do you apply to automated teller machines (ATMs) which seem to exemplify the need for each standard to one degree or another.

Branden reminds us:

ATMs are payment devices just like the card swipe or chip & pin machines we see at mearchants all over the world.  The only difference is that they typically have larger displays, are heavier and more physically hardened, and they spit out money on request.  They’ve also become a great target for hackers to prey on the trusting human (with a fake ATM), or to add sophisticated skimming devices to steal and take advantage of consumer payment data.

It is important to not compartmentalize systems into Procrustean boxes and instead break them into their respective parts.  For example, a company may be both a merchant and a service provider (e.g. Amazon.com or Internet Service Providers).  In the same way an ATM can be broken down into its respective parts and the standards which apply.

• PTS applies to the PIN pad component
• PA-DSS applies to the software running on it (potentially)
• PCI DSS applies to the company that drives the ATM network

I don’t think many people have ever asked themselves what regulatory compliance has in common with immunization, but they should.  The fact of the matter is that these two have more in common than you think and understanding one will help you better understand the other and how to make better educated decisions.  In addition, there are trade-offs — both heath and economic — to the choices one makes in participating in vaccination and immunization programs.  The following addresses a few of these items and opens the doors for further conversation.

Why Comply? Why Vaccinate?

Immunization and vaccination are the process by which an individual or population is treated in order to fortify itself against attack from foreign bodies.  Vaccination against disease can help prevent contracting that pathogen in the future, and preventing multiple individuals in a population from becoming infected helps prevent the widespread outbreak and transmission of diseases such as smallpox, polio, measles, mumps, and anthrax.  By elevating the level of a population that is resistant to such attacks vaccines help protect the entire population from harm.

The problem is that although most all agree that vaccination is positive for the population not everyone agrees that it is positive for the individual.

Since vaccination began in the late 18th century, opponents have claimed that vaccines do not work, that they are or may be dangerous, that individuals should rely on personal hygiene instead, or that mandatory vaccinations violate individual rights or religious principles.

Have we not heard similar arguments against regulatory compliance?  Individuals stating that:

• My environment is already secure
• I know how to manage risk better than the regulatory bodies
• My environment is special and unique and does not fit into your Procrustean boxes

I’ve listened to people sing the virtues of regulatory compliance as often as I’ve heard other individual tell me “that sounds good but it’s not for me.”  I feel as if I’m mediating between the Center for Disease Control (CDC) and a troubled parent about why their child should be vaccinated before entering grade school.

Perspective

Part I

One of the problems with understanding the complexity of the problem is that of perspective.  The CDC and the parent have very different perspectives on vaccines and immunization.  In the same way, the regulatory bodies and those who must comply with them have very different views on how to best apply data security practices.

For example, it is widely known by the payment card industry (PCI) that the majority of small and medium merchants use one of a few brands of payment application.  Many retail merchants use a Micros, VeriFone, or Radiant Aloha (restaurants) point of sale (POS) application.  This high level of homogeneity in a population lends itself to attract attackers (pathogens) who wish to take advantage of any vulnerabilities they can identify in these systems.

The PCI Council, who act as the CDC, along with the card brands mandate that software companies validate their applications against a given security standard (in this case the PA-DSS).  They then introduce these more secure applications into the population and the governing bodies mandate their use over less secure payment applications.

So why not just stop there?  If things were that easy, the CDC would only ever have to worry about one pathogen using one attack vector.  If we secure the retail payment applications, attackers will just move to other industries such as petrol (gas) stations, ski resorts, and florist shops.  To which the industry responds with Dresser Wayne or Gilbarco, SKIDATA, and Teleflora Dove validated payment applications respectively.  The validated payment application program targets to inoculate every industry against the dangers of retaining data most valuable to attackers.

Part II

But what about the individual restaurant owner who says they don’t need a validated payment application?  They claim all the reasons mentioned above from the specialized nature of their business or network to the secure risk management platform they have already implemented.  Why should they comply?

I do not have a good answer to the ‘why’ but I do have one for the ‘how’.  In fact, about 95% of the ‘PCI Wars’ debate going on today try to answer the question of “why” when this is as futile as debating intelligent design vs evolution (because both are based on separate and unequal premises.)  Debating why one should comply is futile as the rules state that everyone who “stores, process or transmits” such data must comply (as per the card brand operating regulations.)

The more interesting question is that of how one should comply.  These examples reference the PCI standards but could apply to just about any regulatory compliance mandate.  The way in which one complies can be taken at a high level.  For the PCI standards it implies preventing the paper and electronic theft of payment card data.  In fact, any way that your company decides to do this implies compliance with the standard.

If parents didn’t mind sending their children to school in hermetically sealed bubbles, then there would be less of a public policy need for them to be vaccinate against disease.  In this way, the parent and child could make their own decision about data security without harming or posing a risk to the rest of the population of school children and their parents.  If your company can, via whatever means at your disposal, hermetically seal itself against attacks then the matter of compliance is simply an exercise for the user in creative documentation, reporting, and compensating controls.  The problem is, many companies over estimate their security controls and thus cause a break in the structure of data security.

Economics of Immunization and Compliance

When approaching the economics of immunization one cannot ignore the population at hand.  For example, a poorer population will benefit more strongly from an immunization program than one that maintains a high level of sanitation, health care, and treatment programs.  To the same degree a more vulnerable population (e.g. retail, restaurants, higher education, e-commerce, etc.) will benefit more from regulatory compliance than one that is more highly secure (e.g. government systems).

In fact, one of the primary catalysts for regulatory compliance is the build up of problems (e.g. data breaches) within an industry followed by the punctuated equilibrium that brings about a response founded in legislative and regulatory action.

The cost of making a population more secure is relatively simple: require them to use more secure applications and systems.  The cost to the individual can vary along with the benefits.  The same applies to vaccines.

One could go their entire professional life without contracting the flu but this is rather rare in my experience.  Instead many people will get the flu vaccine each year on the off chance they will come in contact with the virus because being bed ridden for 1-2 weeks can be both painful and detrimental to the company.

So what!

The cause of action to vaccinate a population is to immunize them from each other.  The process involves a uniform across the board preemptive treatment that is meant to mitigate risks, not prevent them entirely.  In the same way, regulatory bodies craft legislation as a one-size-fits all in order to protect the population from each other.  The individual implementation should see this as guidance and not a rule without exceptions.

The details of how one protects themselves against attack and infection may be unique to each individual, but they still must comply with the overarching industry agreement to protect themselves and thus the population against attacks.  The implementation will vary, of course it will.  One size does not fit all.  But the industry needs a standard, a baseline, against which it can measure risk.  As new infections and outbreaks occur, the industry will change the baseline to match the new attacks.

Those who can visualize the various perspectives will have a greater visibility into how they can better fortify their individual organizations to both validate against industry mandates and manage risk based on their specific organizational behavior.

A little less about work and more about personal life.  This past Halloween I went on a photo walk with the CaliberSF team.  The introduction came from Chipmonkey via TangoBabySF (aka. Miss Julie).

Personally, I don’t care for costumes and would rather wear something comfortable, and maybe ‘smart’, than dress up.  At the last minute I pulled out a Mickey Mouse hat from a prior client engagement and a tunic I got in Abuja.  Suddenly I was Mickey Mouse from his star role in Fantasia, though everyone who passed me whispered “oh, a wizard.”  I suppose this is partially true, as Mickey did take on the wizard’s hat and become him for a short while.

You can check out everyone’s photos from the event on flickr or you can check out my personal photos from the event.

Alternatively, you can check out Julie’s photo blog and read up on the event.

I really enjoyed hanging out with the CaliberSF team and meeting lots of new people.

For the event I was shooting with the Nikon D300 which is a really nice camera.  I only recently learned how to do the basics but having those multiple focus points and the ability to manually adjust the ISO, f-stop, and other light gibbery-jab was lots of fun.

I even liked it when the photos came out over exposed like this one of Julie.

Although, one of my favorite sightings of the day was this mural by “Eddie”.  It’s located in Hayes Valley down the same alley as Blue Bottle coffee shop.  I snapped it with my iPhone camera so I could upload it immediately.  It’s the kind of stuff that reminds me of other paste-up artists like Bansky.