A Gladiatorial Christmas

If you and I were hanging out together and I asked you to name the movies you like to watch over the holidays, what movies would you include? National Lampoon’s Christmas Vacation? The Santa Clause? The Muppet Christmas Carol? Elf? Home Alone? Home Alone 2? Die Hard? All of these are likely to catch some air time in my home.

Sometimes, though, my family and I feel ambitious and decide to watch a new movie, like maybe rent something on-demand that was recently released. We felt that tickle for something new, so we decided to go for it. After some brief browsing we quickly settled on something we knew wanted to see…

Gladiator II.

$20 later and we were in, ready to enjoy the theatrical experience from our couch. I thought the original Gladiator was an epic adventure of a film, so I was excited to sit and experience Roman warfare on the big screen once more.

However, my excitement soon faded into a soft surprise. Then confusion. Then disappointment.

It wasn’t long before I found myself questioning what was happening in the movie:

• Why does it seem like just a remake of the original story?

• Why do some interactions in the scene just seem… odd?

• How is every archer able to shoot perfectly every time?

• Why does Denzel’s performance stand out?

• Why did two bannermen at the end lower their banners when no one else did?

These are just a sample of the many questions that flashed across my mind throughout the film. I wanted this film to be good and I seriously wanted to enjoy it.

There were many times when it seemed like this movie was almost too like the first, so it seemed like an imitative retelling as opposed to a standalone, new chapter to the story. I couldn’t shake how there were many moments on screen where the acting was poor, or just awkward. There were even strange bits of editing (not a spoiler - there’s a moment later in the film where a wound has magically vanished between scenes) throughout that had me wondering if this was rushed through production. And Denzel Washington, a fabulous actor of legend, stood out because he was by far the best actor in the room. However, it seemed like he was trying to pull more out of the script than the script itself had to offer. Even the music felt cheapened to me, forecasting the emotions to come or not quite matching the scene it accompanied.

And seriously, the arrows don’t miss. Ever. Like, weirdly accurate. They just don’t make archers like they used to, I guess.

All in all, it just wasn’t a good movie to me. Period.

Not Space Jam 2 terrible, mind you, but it was not at all the blockbuster film I hoped it would be.

If Gladiator II Can Make It…

After watching the film, I just couldn’t shake the feeling of being cheated by the hype. Looking online afterward, I saw that Rotten Tomatoes had given it a “Certified Fresh” rating of 71% by critics, not far away from the original film’s score of 80%. The “Popcornmeter”, the name for audience ratings on Rotten Tomatoes, sat at 82%. I was shocked!

Has my taste in cinema changed over the years? Am I not able to recognize what’s objectively “good” anymore? Am I losing it?!

[NATHAN CRIES OUT TO THE HEAVENS - EXITS STAGE LEFT, SOBBING]

Fortunately, I have a partner that agreed with me - they couldn’t believe how bad it was, either.

I’m sure that someone reading this will have seen Gladiator II and enjoyed it (if you’re one of those people, please, please tell me how on Earth you liked it). And that’s great! We all have different tastes and opinions when it comes to creative productions like music, movies, and art. It’s okay to disagree, or for one person to enjoy what another does not.

In questioning my life after enduring that slog of a feature film, I thought:

If Gladiator II can be greenlit for production, then anyone can do literally anything. Anything is possible.

Seriously. More than one person sat in a room together, or in many rooms for many different kinds of togethers, in order to give the thumbs-up to make this movie happen. More than one person, possibly many persons who had given the okay for successful films before, allowed this film to be bankrolled to the tune of over $300 million USD. As far as I can tell, worldwide box office gross has at least given people their money back, but it’s a far cry from the 4x return on investment received through the original movie that debuted in 2000.

I’m being harsh in my critique, I know. I do think there’s a lesson to be learned here.

In less than the time it would take for you to view this Roman, filmic tragedy for yourself, I will expand on three points:

• That something can be “good enough” without having to be perfect,

• That imperfect things can still be successful things, and

• Embracing imperfection is key to successful security

So, in a way, Gladiator II did bring some positive mental motions into my life as it forced me to wrestle with these ideas.

Thank you, Ridley Scott. [insert fist bump]

.

Perfectionism vs. “Good Enough”

The Labor of Creativity

Years ago, as a young, wee lad in music school, I clearly remember the torturous task that was creating music. Sometimes, this torture was rapture, what I’d probably liken to being keenly “in the zone”. You’re tortured because you can’t focus on anything else (relationships, important classwork that may be due the next day, etc.) yet in a state of bliss as you surf along waves and waves of creative thought. I was no Mozart, who was able to pull fully formed symphonies directly from his brain, but I was passionate. And that passion could keep me focused on writing music for hours and hours on end.

More often than not, however, the torture of music writing was not rapturous, but more like, well, torture (and who says “torture was rapture” anyways? Yikes, Nathan…). I wish I could count the number of days spent staring blankly at an empty piece of plain manuscript paper. I knew the paper was just begging me to write something, anything, yet my pencil would not budge. My hands would not move. It wasn’t torture because my mind was blank and I had nothing to write, it was torture because I had so many ideas in my head. Too many ideas, perhaps. I wasn’t sketching to catch a breeze of inspiration that might generate my next big idea, I was trying to strike gold before my pen even hit the paper.

I only wanted to write the “best” music possible, which at the time meant writing something that I thought other people would like. I wanted to just, create, but not as badly as I wanted other people to appreciate what I had created.

I’ve written many pieces of music in my life, that’s for sure. Yet if I were to throw my stack of unfinished pieces at you it might get me arrested for assault because there’s so many of them, plus I don’t think I’m strong enough to lift it (also papercuts are the worst, right?).

What I mean is there are many more pieces I didn’t complete or continue with just because I didn’t think they were good enough. I was taking the step of labeling my own work a failure before that pie of creativity was even in the oven.

Fearing Failure

Eventually I would come to learn that even some of the most highly regarded composers of all time were perfectionists, often discarding the work if they deemed it subpar. Brahms did this, for example. Now that I’m older and removed from those music days, I think that it was mixture of perfectionism and a fear of failure in general. Sometimes I was able to write from the heart to create something that felt genuine and sometimes I found myself plagued by the fear that other people wouldn’t like what I had made. This was dreadful for me at the time. It was a driving fear, a constant anxiety, a shadow that loomed across my creative process.

Having a fear of failure is nothing new to me personally, I know that. And I would hazard a guess that you know the exact feeling I’m talking about, too.

In looking at the 10 Signs That You Might Have Fear of Failure, you’d think that I should have “fear of failure” as a line item in my medical history. I find comfort in knowing that this is a common cloud that hovers over many people’s lives and not just the lives of musicians. It’s helped me to learn that there are ways to help one’s self overcome such a fear.

For a sample of how you can work to cope with the fear of failure, the University at Buffalo’s School of Social Work has shared a guide with approachable steps that anyone can tackle (heads up—the link points directly to the PDF).

Accepting “Good Enough” as “Enough”

When it comes to creating something, is it okay to just throw ideas away? If you’re like me and don’t rely on creative outputs to pay the bills, then, sure, because it’s not the focus of my day-to-day work. I have the luxury of a steady job that pays the bills and keeps a roof over my head. But, if your livelihood depends on you both creating and producing something, there’s an inevitable compromise to be made between perfection and meeting the requirements of the moment.

In tech, this has long been understood as a reality. Minimum viable products (MVPs), and minimum viable products within products, are everywhere, same as “just ship it” which is decreed constantly in various forms, ensuring that updates to code and new features get pushed to production.

While this kind of approach is rarely free from errors, often rife with them, the “just ship it” attitude is a true positive from the perspective of this Gladiator II recovery group that I’m holding here today. This path to releasing work into the wild helps to eliminate the barriers that come with perfectionistic tendencies, where you’re afraid to let go of something before it’s flawless. Once it’s been produced, imperfect as it may be, you have the opportunity to continually improve on the software, cultivating a cycle of continuous improvement while also bringing in new things over time.

It’s not perfect. And that’s the entire point.

This blog is not going to be perfect. For sure. Even though I hate the thought that there’s the potential for you to come across misspellings and whatnot, publishing this blog is my attempt to practice what I preach. To push my work out of the nest and into the world.

“Good enough” occurs all of the time in the creative arts, software development, and throughout life. Musicians have to release new music on a deadline or perform concerts even if every song isn’t up to par. Actors have to go on stage for specific performance dates, whether their lines are ready or not. I, as an amateur gardener may rehome a bush in the yard without guarantee that it will stay alive once I replant it (spoiler alert: the bush didn’t make it—it never makes it).

Once there is a commitment towards an idea, a path or plan of some kind is then laid out, leading to an end goal that is a deliverable something. Something must be produced. Similarly, sticking to a rigid schedule or expecting that all possible blemishes be removed is less important than actually delivering the product itself.

Finding Success Through Imperfection

Yes, there’s a natural fear that what you release is less than stellar, but the mere existence of faults does not mean that something is unsuccessful because of such faults. Charlotte Sidebotham expressed this mindset wonderfully, “Good enough is not mediocrity, or merely good. It simply means that, at the current time, all things considered, there are sufficient benefits, and no critical problems.”

Now, I’d challenge the implication that Gladiator II “sufficiently benefits” anyone at all, but I shall restrain myself… from arguing with myself?

Oh well, moving on.

What Drives Perfectionism

While I am not the person people go to for firm definitions of psychological behaviors, I’m lucky to have a slew of Internet articles to help me grasp this topic more completely. One’s perfectionism can be driven by one or many factors. If this is something that you struggle with, I encourage you to share this with a psychological professional who can help you pinpoint potential root causes.

If someone says that they fight with perfectionism, please do not make assumptions about what may or may not influence those thoughts for them. Everyone’s experience is unique and deserves respect. I’ll only share findings here that have been found to be broadly applicable.

External Validation

Perfectionism often stems from a yearning for external validation, a desire for others to affirm that what you’re doing is “good”. This is something that many people may be able to relate to.

You’re seeking external validation whenever thought patterns consistently guide you towards imagining what others may expect from you, likely outweighing the confidence you have in yourself and your work. You could seek validation from specific people in your life or career, or be fearful of validation from a more general, undefined “other”.

Tech companies are not immune to this, nor is any company. Companies are made up of groups of humans, with each one of those humans carrying the burden of their own psychological baggage, regardless of the size of that burden. All teams are made up of individuals and, mostly, teams rely on the approval and guidance of a single leader. Those leaders are also humans themselves (I promise) and who are likewise vulnerable to this mental self-trickery.

Have you ever:

• Feared what your boss or manager will think of your work?

• Been wary of showing others what you’re working on, afraid of what they’ll think?

• Felt that you didn’t know enough to share your knowledge with others?

• Written an email, deleted it, only to write it again and painstakingly read and reread it until it’s artisanally sculpted to the finest level of quality, even though it was just you replying in kind to a teammate?

Congratulations, you are normal. We’re proud to count you amongst us.

Having these thoughts and/or thinking you tend to lean towards perfectionism does not mean that there is anything wrong with you. Not in the slightest. Myself, for example, is sitting here wondering (and worrying a bit) about what people will think of what I’m writing in this post. Recognizing this about myself does not automatically equip me with the ability to work healthily with these feelings, but I feel like it helps for me to accept that these feelings exist and to move forward from there.

Security is Never Perfect

This is a security-related blog after all, isn’t it?

If you’re not in tech or not a security professional, think about a time when you purchased a piece of software, or bought a video game, or watched a live stream where something went wrong. Maybe the software was buggy, or the game graphics were glitchy (I’m thinking of you, Cyberpunk 2077), or the live stream’s quality of service resulted in a pixelated mess or lack of a stream at all (Netflix’s recent boxing spectacle, for example).

If you’re thinking about something in the time of the Internet era, then patches were likely (hopefully) released for that software, updates were pushed to that game to improve performance, and we’ll say that the live stream company learned from their mistakes and beefed up their infrastructure for better streams down the road.

For many people in tech, regardless of role, they understand that imperfections are just part of the game. You’re constantly making adjustments to upcoming software releases, product roadmaps, and business opportunities. At best, you catch the imperfections yourself and take action, at worst, you put out fires from customers with issues or from troublesome actors who target vulnerabilities. Whether proactive or reactive, working in tech demands agility.

Security is never perfect and perfect security doesn’t exist. I don’t say this as a cheap grab for attention. This is just the nature of the beast. We’re only able to secure what we know exists to secure and can only provide security to a level possible by those implementing the security measures.

Out-of-the-box tooling is available to help you and I gain visibility over our environments, receive alerts regarding misconfigurations or undesired activity, and actively manage endpoints. Security professionals, in turn, learn to analyze tool output effectively, identifying anomalous activities that warrant attention, pinpointing errors in code that might present security concerns, and providing steadfast response to incidents of all shapes and sizes.

Think:

• What security tool is “perfect” at what it aims to do?

• What security professional or team of security professionals is “perfect” at what they do?

• Does a definition for “perfect” security exist?

Imperfect Security is Security

When I was studying choral conducting some years ago, our professor used to always share a bit of wisdom with us, “Music demands perfection while simultaneously denying it.” (he would always repeat this about three times whenever he said it)

He would then go on to explain how, even with the most diligent practice, there was always the possibility of imperfections in music. One person in the choir could mispronounce a word (you’d be amazed at the power of a single person singing a loud “s” in the wrong place), a pianist’s finger could slip to the wrong key, the air temperature could be too high and make the performers uncomfortable on stage - anything. That was his point. You work so hard to present a polished, perfected work of art to an audience, yet, no matter how hard you try, imperfections have the chance to pop up at any moment.

But, here I am thinking that this phrase applies perfectly to security: Security demands perfection while simultaneously denying it. This is a profound realization for me, how, regardless of effort, collective expertise, or the capabilities of tools we deploy, there will always be room for us to improve the security measures we put in place.

The owner of a company I used to work for would hold daily meetings each morning. It was a small company, so he would huddle each day with us to hear updates and to help think of ways to solve customer issues, production issues, or general business issues. He used to say that any problem boils down to one of three things. Years later, I’ve found these three things apply beautifully when identifying root causes to security issues:

1. Human error

   1. Human error can account for an incredible range of security issues. Actions could be intentional, unintentional, or could be intentinonal acts manipulated through the influence of bad actors.

   2. I’m happy to follow many professionals who lead and conduct research in this burgeoning “human factors” segment of security. This area goes well beyond simple security awareness efforts.

2. Process error

   1. Did the SDLC process not identify the vulnerability in time before release? How come the IT team didn’t escalate that incident more quickly? Why do we have more than one process we’re following for incident response?

   2. Here, the root cause boils down to a lack of detail or foresight within in the process itself. Fixing the process immediately helps to mitigate future, similar instances from occurring again.

3. Machine error

   1. This could be any number of issues that stem from an endpoint of any kind. Misconfigurations, outdated software or operating systems, hardware malfunctions, etc. There are tons of possibilities.

   2. Some of these errors can happen through simple “wear-and-tear” of a device, where things can be repaired or replaced in whole. Or, some errors are possible to fix with sufficient visibility and healthy processes to identify issues in advance..

No one can claim to have a crystal ball, so no one can claim that they have foreseen all possible security issues both now and in the future. Since no one can see this future, no one can protect against everything that might happen to those you’re trying to protect.

While it’s unhealthy and unwise to demand that security be perfect, it is healthy to expect that security be as strong as possible given the budget, skills, and tools that are available.

Because security is constantly imperfect, we must continually work to stay informed, stay aware, and keep ourselves educated on emerging threats. As my mother used to say, “You do with best you can with what you’ve got.” In security, we do that all the time, don’t we? Here, doing your best directly involves action, motion, taking steps forward. Notice how “your best” has nothing to do with perfection itself.

Think of “The 5 P’s”: Proper Practice Prevents Poor Performance.

Imperfect security is still security, since that is the only kind of security that we know. And that’s okay. What’s not okay is to fail to take action because you don’t have a perfect solution on-hand, or you haven’t published a fully-formed process/policy.

Take steps forward now and improve as you go. A small protection now can be made more robust and more effective over time, iteration by iteration.

Constantly im-perfect, you say?

Perfect. That means we’ll always have room to improve.

The Bottom Line

When all else fails, when you find yourself down and out, when you are struggling to see that you belong in security, when you don’t see yourself creating anything that’s good enough for yourself, let alone perfect for someone else, remember—someone, somewhere, believed in Gladiator II. Someone, somewhere, said, “That’s good enough,” and released it to theaters, even if they thought it wasn’t the best film they had ever made.

So if Gladiator II can make it, so can you. Literally anything is possible.