Searching for Kryptonite

September 13, 2016


In a pediatrician’s office in Kansas, Mr. and Mrs. Kent talked with a specialist, hoping to get help for their disabled boy. “He’s two years old and he still can’t walk,” said Mrs. Kent. “Instead, he pushes himself up and floats around the house.” “And he has broken all his toys,” chimed in Mr. Kent. “The boy tries to play like other kids, but he can’t control his strength.” The specialist looked at the anxious parents, “Mr. and Mrs. Kent,” he said, “your son has a rare, but serious condition called superheroism. Of course, there is no guarantee, but I have been quite successful in treating this condition.” The Kents were relieved. Finally, they had a name to put on their son’s condition. Now they could start making him better.




My 7-year-old daughter has a superhero costume she likes to wear around the house. The costume is a leotard with a big “S” in front, a cape, and a mask. It is in her favorite color, pink — or at least it used to be pink. It is now sort of a gray-pink shade from overuse.

It’s fun to watch her playing a superhero, but lately I’ve wondered if she might actually have superpowers. No, I haven’t seen her take to the skies or lift a car so I could change a flat tire. In fact, she has done things that don’t seem particularly super at all. My daughter was diagnosed with autism nearly three and a half years ago. She started speaking late, had odd social interactions with kids and adults alike, and could throw some world-class meltdowns long after most of her peers had moved on from temper tantrums.


Autism is a condition that results in difficulties with social interactions and learning.  Some autistic people are so challenged that they cannot communicate verbally, hurt themselves, and may not be able to live independent lives. However, there are many examples of autistic people with unbelievable abilities in areas such as music, academia, business, technology, and even comedy. You can call these talents.  I call them superpowers.

However, as the parent of an autistic child, I far too often feel overwhelmed by her challenges and lose sight of her promise. For years, my daughter woke up so often each night that my wife and I took turns sleeping on the floor next to her. Meltdowns at school and at home leave teachers and family members alike feeling shell-shocked. We didn’t look at our daughter and see a future superhero.  We saw a kid with a cloud over her future.

But, as I read stories about the amazing things some autistics can do, I started to wonder what this meant for my little girl. Her challenges had been taking up so much of my time that I had failed to look for flashes of brilliance.


In many, many superhero movies, the hero feels excluded from peers. Movies like X-Men, Superman, and even Disney’s Frozen show characters with abilities that isolate them from others. At some point in these stories, the heroes learn to manage their abilities and begin to use them to make the world a better place. They realize that these special powers are not a liability, but assets the world truly needs.

Like many autistics, my daughter is stubborn. When she wants me to buy her a toy that I don’t intend to purchase, she will hound me unmercifully. When teachers at school try to get her to do an activity she doesn’t want to do, her resistance is fierce. This stubbornness is exasperating, but it can also be a strength.

I occasionally take my daughter to her favorite place, our community pool. I watch her approach other little girls her age, “Hi! Wanna play?” she says. Often, the other girls will just swim away. My daughter isn’t deterred. Over and over she approaches a different child, “Hi! Wanna play?” I cringe each time it happens. But on almost every trip to the pool, she finds someone, often more than one child, to play with. Her persistence in the face of regular rejection nearly always pays off. It’s one particular superpower that has allowed her to meet some really wonderful kids.

Fixing Autism

We’ve come a long way from the days when autistics were locked up in institutions. Public schools now educate autistic children, often in the same classroom as neurotypicals (thank you IDEA). We are also seeing more efforts to help autistic adults lead independent, self-fulfilling lives. The focus of much education and therapy for autistic children is to make them more like the rest of us, that is, to fix autism.

But what if autism is the cause of much brilliance in the world? What if autism is partially responsible for our information economy? What if we can credit autism for some of our important scientific discoveries? What if we can thank autism for some of our finest entertainment? In short, what if autism bestows superpowers? If it does, then wouldn’t an attempt to fix autism be the same as binding Wonder Woman’s wrists, making Elsa wear gloves, or giving Kryptonite to Superman?

I hear so many stories of incredible achievements of those with autism that I increasingly wonder, what if these people are not successful despite their autism but because of their autism? What if autism is not a disorder but an enhanced ability that is so great that it draws away from “normal” abilities? What if the problem with autism is not that people have it, but that the rest of us don’t know how to deal with it?

I regularly see people trying to make my daughter like everyone else, with the expectation that once we fix the challenges, we can focus on the things she is good at. At school, there has been a focus on getting her to sit still, not talk out of turn, and generally do what is expected of her while keeping her on grade level for her real passion, reading. I’m not convinced this is the right approach. While I know she can’t be throwing tantrums her whole life, and blowing raspberries at teachers is not OK, I don’t want to wait for her behavior to shape up before she develops her talents.

Learning to Fly

Sometime before my daughter’s fourth birthday, we were in the car on her way to child care. From the back seat I could hear her sounding out words. “Puh – Oh – Knee… Pony! Muh Er Muh Aid… Mermaid!” I was floored. I knew that my wife and I hadn’t taught her to do that. I had no idea that she was reading. I approached both her preschool and her child care center, congratulating them for teaching her to read. They thought I was nuts. But I wasn’t nuts. The kid was learning to read before she was 4. It took me a while to figure it out, but a children’s tablet that my mother had given my daughter for her birthday had lessons on sounding out words. She had taught herself to read using that tablet.

Her reading continued to advance, but as it became obvious that her reading ability was well above normal some at school gently told us, “Yes, she can read the words, but she doesn’t understand what she is reading. They are just words to her.” As my daughter demonstrated that she could correctly answer questions about the stories she had read, the cautions changed to, “Yes, she can read, and she can answer questions about the concrete parts (What color was her dress? Where did the princess find the frog?), but she doesn’t get the bigger picture (Why did the witch turn the prince into a frog? Why did the princess kiss the frog?).” This sounds like a fair concern until you hear my daughter reading stories with inflection and passion appropriate to the story. More impressively, she will use concepts from these stories to create her own stories.

I realize that early reading and persistence don’t sound much like superpowers, but I believe I am seeing the early signs of talent that can develop into something wonderful. I fear that if my wife and I wait for our daughter to learn to manage her stubbornness, and stop the meltdowns, before we help her develop her strengths, we will miss out on the skills that can make her happy and successful.

My daughter isn’t alone. I wonder what would happen if we all started with the assumption that autistic people have amazing abilities that need to be discovered. I wonder what would happen if we spent less time trying to fix them and more time nurturing their unique talents. Perhaps what is really needed is for those of us who are not autistic to change ourselves to better see their potential.

Maybe we would discover that we are not facing an autism crisis but a superhero explosion.

“Mr. and Mrs. Kent, we have some great news. There is a new therapy that we believe will significantly reduce your son’s symptoms. This therapy combines a new medication, Krypto-pills, with therapy to teach little Clark to stay on the ground and stop using his excess strength. We think we can make your son almost normal!” The Kents thought for a moment and looked at each other. They then took little Clark by the hand and walked out of the office.




Design IT Security for a Death Star

May 3, 2014

Interested in developing the skills you need to be an IT security professional supporting the U.S. Federal Government? Are you currently trying to follow NIST security guidance but are feeling overwhelmed? Why not collaborate to build a set of examples that can enhance your skills, while at the same time providing the security community with tools to improve security?

For 15 years now I have been an IT Security contractor for the U.S. Government. For much of that time I have been using standards published by the National Institute of Standards and Technology (NIST) to design and document security architecture.

While I have found NIST publications to be well written, the sheer volume of material I had to read and the lack of  examples of security documents has often left me feeling overwhelmed.


Problem of Collaboration

One of the problems with collaborating in security planning is that details are often too sensitive to share broadly. This often leads to security engineers developing templates, spreadsheets, and databases for themselves or their group, leaving others to develop their own material. This duplication of effort wastes a great deal of time and lessens the effectiveness of the security controls that are implemented.


Crowdsourcing a Fictional Project

I propose that one way to collaborate and keep sensitive information secure is to build a fictional collaborative project. Crowdsourcing security architecture and planning using the NIST security framework on a fictional architecture with supporting documents that can be shared and improved is one of the best ways to collaborate without risking the release of sensitive information.

To have fun with this, and to avoid encouraging the cutting and pasting that minimizes real security, I have an idea for a government project to base the security architecture on.

In 2012, “J.D.” from Longmont, CO posted a joke (I hope) proposal on the website suggesting the U.S. build a Death Star. Over 34,000 people “signed” on to this idea, which encouraged the White House to respond. Paul Shawcross, Chief of the Science and Space Branch at the Office of Management and Budget (OMB), responded with some fun of his own.

I suggest that for our fictional collaborative project, we plan IT security for a Death Star. Something like this is flexible enough for a small number of volunteers to create some simple documents (well, as simple as NIST allows), or for a larger group to create significantly more detailed plans. In any case, the documents created would all be subject to a Creative Commons license, allowing anyone to use and share whatever is produced.

The result would be an educational opportunity for anyone who wants to better understand NIST security, and the project would provide valuable examples and perhaps simple tools that would make it easier for those designing NIST-compliant security.

This could also lead to a group that could discuss issues related to NIST compliance, without having to share details of their projects.


Get in Touch

Updated May 11, 2014

To kick things off, I’ve created two ways to begin a dialogue with everyone who is interested in this project. I just created a bare-bones LinkedIn group called:
NIST Security Development

Alternatively, if you’d prefer email, I’ve created a Yahoo email list. subscribe by going to the Yahoo Groups site, or just send an email to:


Updated May 27, 2014

A project wiki has been created for this effort. There is still a great deal of work to get the wiki going, but it is ready for users and editing. The site is:

This is the same wiki software that is used for Wikipedia, so there are lots of resources on creating pages for it. While it might seem a bit intimidating to those who have not used wikis before, the syntax is really pretty easy, and you’ll get the hang of it quickly.

The best thing about a wiki is that it is easy to edit, and easy to revert to an older version if something goes wrong.

I’ll also be creating and sharing spreadsheets via Google Docs because spreadsheets are just easier there. Google Docs can also handle presentation slides, diagrams, and document templates.

If you are interested in helping, please create an account on the wiki and we can start collaborating on this project.


Narrow Your Career Focus

January 14, 2013

In my last blog post, I hope I sold you on the idea of pursuing a career in information security. OK, you have questions: What education do I need? How about certifications? How can I build an effective resume that will make it easier to get one of these jobs? These are important questions, and I will address them in a future post, but let’s not get ahead of ourselves. Many who begin to pursue a career try to make themselves as broadly attractive to employers as possible. They assume that the more jobs they qualify for, the easier it will be to get a job. That is rarely the case.

In his book titled, Purple Cow, Seth Godin argues that the best way to get a job is to narrow your focus. Godin says, “In your career,… being safe is risky. The path to lifetime job security is to be remarkable.” If I can paraphrase him a bit, suppose you are the director of a major hospital and you need someone to handle your information security. You have resumes from tens, perhaps hundreds, of security professionals who have a solid education in security. Each has the right certifications and the right technical skills. But one applicant stands out. This applicant specializes in the security of medical records. She blogs about hospital security issues. She has attended conferences related to hospital administration that didn’t even have a security focus. She is competent in security and understands the specific needs of hospitals. Who will the director hire? One of the applicants with lots of broad experience or the one who specializes in hospitals?

You get the idea. Narrowing your focus helps you stand out and makes it more likely that you will have the career you want, not just the career you fall into. Before you start pursuing certifications, advancing your education, or even writing your resume, take the time to research various information security positions, industries that employ people in these positions, and specific companies of interest to you. Narrow your target as much as possible. Once you know where you want to go, figuring out how to get there becomes much easier.

What do you think? Leave comments or questions below.

Introduction to Your Information Security Career

December 27, 2012

According to The Wall Street Journal, in March of 2012, Global Payments, a credit card payment processor, discovered a breach of its system that exposed the personal information of at least 1.5 million customers to criminals. SC Magazine reported that the cost of the breach for Global Payments was $84.4 million with a potential for an additional cost of $55 to $65 million. Brian Krebs, a well-respected security blogger, broke the story, and his account is well worth reading. These kinds of incidents are all too common, and their frequency and impact are growing.

Computers control more and more critical parts of our daily lives. Google is experimenting with computer-driven cars, and computing and networks are becoming increasingly essential to health care, including computer-assisted surgery. Computing is also essential to managing much of our critical infrastructure, including nuclear power plants, emergency systems, transportation and banking. Under these circumstances, it is vital that our computers be protected. This requires people skilled in information security. Unfortunately, there are far too few information security professionals to meet a growing demand. This may be a career you should consider.

What do we call it?

There are a number of terms that some use interchangeably for this field, while others insist that there are subtle or even major differences among the terms. Such terms include information technology (IT) security, cybersecurity, information assurance, and computer security. Since an in-depth conversation about these terms is well beyond the scope of this blog, I’m going to stick with the term “information security.” Just remember that you may encounter other terms that refer to the same field.

If the many names are not confusing enough, there are also numerous jobs and job titles for information security professionals. However, unlike the terms for information security, many of the various job titles have significantly different demands and experience levels. I will discuss the various types of information security positions in greater detail in a later post. For now, three of the major categories are defenders, auditors/testers, and management. Each requires a distinct, though overlapping and related, set of skills and body of knowledge.

Meaningful Career

There are many good reasons why you should consider information security as a career. The most important is that security is worthwhile work. Our advancing technology promises us a world with significant improvements in standard of living, better medicine, greater collaboration, more interesting work, and even better entertainment: think movies and video games. None of this, however, will be possible without the reliability that information security provides. By joining this field, you can help to ensure the continued growth of information technology and the promise that it provides.

I may sound overly enthusiastic about this field, but waking up in  the morning and knowing that what you will do all day actually matters is a great feeling.

Another good reason to consider this field is that, when done properly, information security demands creativity and problem solving. A career in information security can be personally challenging and can lead to constant learning and growth. Additionally, because security expertise is needed in a staggering number of industries, there is no end to the flexibility that this career provides.

Practical Considerations

More practically, security careers tend to be a good path to a comfortable salary. Salary, of course, depends on many things, including your level of experience, your special skills, your education, and the industry with which you are involved. But, according to, a security administration position can pay from $50,000 to $95,000, and I have seen information security positions that pay much higher, especially for talented and driven security professionals.

Security also provides career stability. While companies come and go, and no job is immune from layoffs, with solid information security experience, it should be much easier to find your next job than it will be for many other professionals. According to a survey of security professionals by ISC2, an international non-profit that provides security education and certifications, of the 2,250 respondents, only 7 percent were unemployed at any point during 2011. At the time of the survey, only 80 of the 2,250 were unemployed, and only half of them had been laid off. Other aspects of a security career that you should carefully consider are staying current with advances in the field and work/life balance.

Staying Current with Advances in the Field

It is essential that information security professionals stay current with advances in the field. Technology, threats, vulnerabilities, and management all change, and the changes can occur rapidly. All of these changes require that information security professionals continue their education, acquire certifications, receive training, attend conferences and vendor presentations, and read books, blogs, and articles. This can be exhausting, but it can also be exciting. Like many other aspects of this blog, the specifics of your ongoing learning will depend on the specific circumstances of your career. Nevertheless, you can be sure that some level of ongoing education will be a necessity.

Work/Life Balance

Finally, there is the issue of work/life balance. I’ve seen information security jobs that provide great flexibility: time to spend with family, friends or hobbies. I’ve also seen information security jobs that require the professional to be on call 24/7, travel extensively, and work extra hours and with crunch time around major projects. Your mileage will vary. Work/life balance for security professionals depends on many things, such as your industry, area of responsibility and corporate culture. The good news is that information security expertise provides enough flexibility that you can change positions or jobs as your needs change.

Choosing the Path

Is information security the right path for you? This field is not for everyone, but if it sounds like a good fit, I hope that you will seriously consider it. The world needs more good people to protect our information and computer systems.


I have edited this blog from the original on January 6, 2013. The original version of this blog referred to “Global Payments” as “Global Crossing.” This error has been corrected.

HBR Blog: Stop Thinking Outside the Box

November 7, 2011

This is a great, thought provoking post. It is interesting that the author mentions the Zune vs. the iPod because it seems that Steve Jobs understood inside the box before he ever started looking out.

Posted from WordPress for Android

Washington Post Op-Ed on Failure

October 17, 2011

It is interesting to see so many books and articles on the value of failure. This op-ed in the Washington Post by Kathleen Parker is worthwhile.

I also recommend Tim Harford’s book, Adapt: Why Success Always Starts with Failure.

Gartner: Re-imagining IT as an experience, rather than an expenditure

October 5, 2011

The link below is to a thought provoking blog posting from Mark McDonald at Gartner. Government IT and Federal contractors tend to focus on solving problems. I wonder if there is an advantage in pursuing any of the other ways McDonald lists for providing value.

Posted from WordPress for Android