Caffeine Detox

June 25, 2013

It is that time again when I realized that my daily caffeine intake isn’t done for mere pleasure but out of a need to stave off the ever lurking headache. I started to notice mild headaches in the afternoon that can be immediately alleviated by a nice cappuccino and I had to admit to myself that my body is now reliant on caffeine and will threaten me with headaches unless I give in.

This has happened before in mid 2012  in which missing a day of coffee rendered me almost incapacitated. At that time I decided to detox from caffeine which I did for over 6 months before deciding to partake of the daily ritual again. I missed both the flavor and the routine of it.

And so here I am again deciding that it’s time for another caffeine detox. After mentioning it on Twitter, aside from the responses of my being crazy, several from the infosec community have decided to join me. I’m putting this post together to explain the rules of which I am going to follow and as a guide to whomever else cares to join.

The caffeine detox will begin on Monday July 1, 2013 and I’ve not put an end date. I’ll know when I’m done but let’s say as a measuring stick..once the headaches are gone, the extreme sleepiness has abated, and basically I feel no different off caffeine, then detox is complete. Based on last year’s experience, I’d say 4 weeks should do it. (Took me 2 weeks for the withdrawal symptoms to subside last time). Yeah, yeah, just in time for Vegas. Personally, I’m going to keep going until AT LEAST after Vegas and play it by ear from there.

So here are the rules I’ll be following:

  1. Going Cold Turkey!
  2. No beverages that contain caffeine no matter how insignificant (i.e. coffee, tea, decaf, soda, etc). Nothing but water.
  3. If I ate chocolate, I’d stop ingesting that as well

That’s basically it. Yes, it’s going to suck. But having done it before, it is my way of exerting control and not being a slave to that wonderful substance…caffeine.

See you on the other side.


Man! How the tables have turned. I’ve spent the majority of my information security career as a security assessor and consultant. That lavish lifestyle of living out of a suitcase, spending a week or two with a client, agonizing over the executive summary of a report, and then the delivery the final report. With clients, I’d perfected the art of love ‘em and leave ‘em, never staying long enough to see if anything had come from the fruits of my labor. That not knowing is what always left me unsatisfied with being a consultant which is why during my recent job hunt I chose a position that placed me on the other side of the table. It was time I gained the experience of not just telling organizations what they “should/need” to do, but having to actually get an organization to implement my security recommendations. I’ve traded my security consultant hat for a security architect loin cloth & seashell bra.


How was I to know that encrypting sensitive data at rest, prohibiting the use of shared IDs, and the separation of production from non-production environments could erupt into arguments and upper management escalations? I’m beginning to understand the difficulties InfoSec professionals in the trenches face when trying to secure the organization they are responsible for, while at the same time, needing to understand that concessions and compromises need to be made.  I’ve had to deal with trying to explain to a business unit why a solution that uses proprietary encryption to “secure” packet captures is not a good idea but then being told upper management is getting it anyway because of the tool’s capabilities. I’ve had to accept why telnet is still needed to log into network devices and that there is no budget this year to replace the offending devices. I’ve had to get used to no longer being the consultant on site that people bent over backwards for. Now I spend my time bent over while trying to dictate why “security is good”.

I’ve been at this new position for several months now and the experience has been eye opening.  I never really understood the challenges the security teams faced and often wondered, when doing an assessment, how the hell they didn’t have basic security controls in place.  I get it now! One doesn’t just receive a report from a security consultant and the findings/remediation suggestions get magically implemented.  That all the security team was missing was some direction and now that they have the report, the fog is lifted; onward and upward Tally-Ho! As a consultant, I’ve had clients say to me, “But we can’t enforce complexity for our passwords” and I’ve replied in the past, “I hear what you are saying, but you are going to have to figure it out.” Right, because getting rid of those legacy applications that are core to the business just so the password can have a “$” in it is going to happen.

What’s my point? (Wait. For.  It….) Actually I don’t have a point. I’m just acknowledging the disconnect between my experience as a consultant and now as an on staff security architect.  I by no means discount the experience I gained from being a consultant. I’ve gained experience in talking to groups and upper management. I’ve been exposed to various technologies, implementations, solutions and their use cases. But boy, I was not prepared for the myriad of obstacles that impede security teams.   With this new job, I’m going to miss the travel and new environments but this is an experience I need to gain if I ever plan on one day becoming an interim CSO.  Next…I’ll need to learn how to play corporate politics. :-/