makeithabitual – Matt Shannon, Security Pro

Zen and the Art of AWS Security Domain 6: Security Foundations and Governance | Holding the Line Without Rigidity

“When the structure is sound, movement becomes effortless.”

Most people expect security foundations and governance to be boring. Policy documents. Checklists. Frameworks. Meetings.

AWS, and seasoned security architects, know better.

Security Foundations and Governance are not about control. They are about alignment.

They are what allow everything else, detection, response, infrastructure, identity, and data protection, to function without friction. This is why Domain 6 exists. And why it quietly determines whether every other domain succeeds or fails.

1. What AWS Means by “Security Foundations”

AWS does not treat security foundations as a product or a service. They treat them as operating conditions.

Security foundations answer questions like:
• Who is responsible for what?
• How are decisions made?
• How do we know when something is “secure enough”?
• How do we scale security without slowing delivery?

In AWS terms, foundations are built on:

• Shared Responsibility
• Well-Architected principles
• Standardized controls
• Continuous improvement
• Clear ownership

If those are missing, everything else becomes reactive.

Key Takeaway: On the exam and in real life, assume security foundations are always present, not optional. If a question describes a scenario with ambiguous responsibility, pause and seek alignment before acting.

2. The Shared Responsibility Model: The First Gate

Every AWS security exam, especially the Security Specialty, tests one thing relentlessly: Do you understand what AWS secures…and what you must secure yourself?

AWS is responsible for:

• Physical data centers
• Underlying hardware
• The cloud infrastructure itself

You are responsible for:

• Identity and access
• Network controls
• Data protection
• OS and application security
• Configuration

Governance begins the moment you clearly accept that responsibility.

Most real-world failures, and many exam traps, happen when responsibility is blurred.

3. Governance Is How You Scale Trust

Governance is not about saying “no.” It’s about creating guardrails so teams can move quickly without breaking things.

AWS governance relies on:

• AWS Organizations
• Service Control Policies (SCPs)
• Account separation
• Tagging standards
• Centralized logging and monitoring
• Defined escalation paths

Exam cue: If AWS wants you to prevent risky behavior without managing individual permissions, the answer is almost always SCPs.

Governance operates above IAM, not instead of it.

4. Well-Architected Security Pillar: The Quiet Backbone

The AWS Well-Architected Framework is foundational to this domain.

The Security Pillar emphasizes:

• Strong identity foundations
• Traceability
• Infrastructure protection
• Data protection
• Incident response

You’ve already studied all of these.

Domain 6 exists to show how they fit together.

AWS wants you to think:

• Holistically
• Long-term
• With trade-offs in mind

On the exam, this shows up as:

• “Which solution is the most scalable?”
• “Which approach reduces operational overhead?”
• “Which option aligns with AWS best practices?”

Governance favors simplicity, repeatability, and clarity.

5. Policies, Standards, and Automation

In AWS, policy without automation is aspirational. Automation without policy is dangerous.

Strong governance includes:

• Infrastructure as Code (CloudFormation, Terraform)
• Automated security checks
• Preventive controls (SCPs, Config rules)
• Detective controls (GuardDuty, Security Hub)
• Corrective actions (Lambda-based remediation)

Exam cue: If the question says, “ensure compliance continuously”, the answer involves automation, not manual review. Governance is what turns security into a system, not a on-going project.

Top 3 Exam Gotchas: Domain 6

Over-relying on IAM and neglecting the power of Service Control Policies (SCPs) for organization-wide governance.
Focusing on manual reviews instead of leveraging automation for continuous compliance.3. Choosing the most restrictive answer on the exam rather than the one that balances security, cost, and operational impact.
Key Takeaway: The “safe” answer is not always the correct one—look for governance and automation at scale.

6. Risk Management: Choosing, Not Eliminating

AWS does not expect you to eliminate all risk.

They expect you to:

• Identify it
• Understand it
• Accept, mitigate, or transfer it intentionally

This is why governance includes:

• Risk registers
• Compliance mappings
• Business context
• Cost-awareness

On the exam:

The “best” answer is rarely the most restrictive one. It is the one that balances security, cost, and operational impact.

Scenario Example: Rapid Growth, Real Governance

In 2024, a fintech company went from 10 to 60 AWS accounts in under six months. Security needed to prevent resource creation outside of approved regions and enable GuardDuty everywhere automatically.

Best Approach: The team used AWS Organizations to apply SCPs for region lockdown, combined with automated account bootstrapping scripts that enabled GuardDuty by default. This solution leveraged automation and organizational guardrails—demonstrating mature, real-world AWS security thinking.

Key Takeaway: AWS rewards answers that use policy-driven, automated, and scalable solutions, exactly as in this scenario.

7. The Martial Parallel: Structure Enables Freedom

In martial arts, beginners see rules as limitations.

Advanced practitioners see them as:

• Stability
• Efficiency
• Freedom under pressure and much more

A strong stance doesn’t restrict movement; it enables it. Security foundations work the same way.

When governance is clear:

• Teams move faster
• Incidents resolve cleaner
• Mistakes are contained
• Learning compounds

When governance is weak:

• Everything feels urgent
• Security becomes adversarial
• Teams work around controls instead of with them

8. Exam Patterns for Domain 6

Here’s how AWS tests this domain:

• Account-level controls → AWS Organizations + SCPs
• Preventing risky actions globally → SCPs
• Balancing speed and security → Guardrails, not micromanagement
• Scaling security → Automation and standardization
• Aligning with best practices → Well-Architected Framework

If the question asks:

“Which solution is easiest to manage at scale?”

Exam cue: Choose the centralized, automated, policy-driven option.

Final Capstone: The Six Domains as One System

Let’s put it all together.

Domain 1 — Detection
See clearly. You can’t secure what you can’t observe.
Detection creates awareness and prevents surprise.

Domain 2 — Incident Response
Move decisively without panic. Preparation and clarity turn chaos into choreography.

Domain 3 — Infrastructure Security
Shape the terrain. Segmentation, isolation, and least exposure reduce blast radius before attacks happen.

Domain 4 — Identity and Access Management
Decide who can act. Identity is the new perimeter. Precision here determines everything else.

Domain 5 — Data Protection
Guard what truly matters. Encryption, key management, and lifecycle controls protect the mission itself.

Domain 6 — Security Foundations and Governance
Hold the line without rigidity. Governance aligns people, process, and technology into a system that scales.

The Quiet Truth at the Center of AWS Security

AWS security is not about fear.
It is not about heroics.
It is not about locking everything down.

It is about clarity, balance, and intention.

The exam rewards those who:
• Pause before reacting
• Think in systems, not silos
• Choose scalable solutions
• Respect trade-offs
• Trust structure over force

That’s Zen. That’s architectural mastery. You’re ready.

When you sit for the exam, remember:
Awareness first.
Structure second.
Action last.

Everything else follows naturally.

Verification & Citations Framework | “Leave No Doubt”

Primary AWS Sources to Reference:

• AWS Shared Responsibility Model
• AWS Well-Architected Framework (Security Pillar)
• AWS Organizations Documentation
• Service Control Policies (SCPs)
• AWS Security Best Practices Whitepaper
• AWS Security Specialty Exam Guide (Domain 6)

Verification Boxes (Suggested Placement):

• After Shared Responsibility section
• After SCPs / Governance section
• After Well-Architected references

Quick Reference Checklist: Domain 6 – Security Foundations & Governance

Key Takeaways (Scan before the exam!)

– Shared Responsibility Model: Always clarify what AWS secures vs. what you control.

– Use AWS Organizations and SCPs for policy-driven, organization-wide governance.

– Automate compliance: favor Infrastructure as Code, automated checks, and auto-enablement of detective/preventive controls.

-Lean one the AWS Well-Architected Framework forbest practice alignment.

– Favore scalable, centralized, and policy-drive solutionsy in exam scenarios.- Always check the latest AWS documentation—services and features evolve quickly.

Final Tip: For scenario-based questions, ask: “Is this solution scalable, automated, and centralized?” If so, it’s likely the best choice.

Change Awareness Note:

AWS governance services evolve regularly. Always validate SCP behavior, Organizations features, and Well-Architected guidance against current AWS documentation. For the latest on each topic, see:

Shared Responsibility Model

AWS Well-Architected Framework

AWS Organizations

Service Control Policies

AWS Security Best Practices

Security Specialty Exam Guide

Does Nutrient Timing Matter? Yes, But Not the Way You Think

Stop obsessing over windows. Start building systems.

If you train hard, care about body composition, and want real-world energy, you’ve probably heard people say:

“You have to eat protein within 30 minutes of lifting.”
“Don’t eat carbs after 8 PM.”
“Fasting boosts growth hormone, just train fasted.”
“Breakfast is optional if your willpower is high enough.”

None of this is completely wrong, but none of them is 100% valid or effective for all, so don’t waste any mental space on them and focus on what’s been proven to work over decades.

Let’s cut through the BS.

The Truth About Nutrient Timing

Nutrient timing can matter, but it’s not the magic some claim, and it’s not completely useless like others claim.

It doesn’t override your daily totals. But it does influence:

How well you train.
How fast you recover.
How consistent is your energy, mood, and hunger?

Here’s the simplified hierarchy:

Daily intake = most important
Meal timing = performance lever
Meal composition = precision tool
Supplement timing = tiny bonus

Myth: If you miss the post-workout window, your workout is wasted.
Fact: Muscle protein synthesis remains elevated for hours; what matters most is your overall daily intake and rhythm.

Science Sidebar: Why does timing matter? Protein synthesis is elevated for several hours after training, so spacing protein throughout the day maximizes muscle repair. Carbohydrates around workouts help refill glycogen and lower stress hormones like cortisol.

What You Need to Know

1. Protein Timing

Protein intake is about distribution, not hitting a “window.”

Aim for:

25–40g of protein per meal
Every 3–5 hours
Starting within 1–2 hours of waking
Ending within 2 hours post-training

Even distribution improves muscle protein synthesis, recovery, and satiety. Research shows that even protein distribution (every 3–5 hours) is linked to greater muscle protein synthesis and recovery (Areta et al., 2013).

2. Carbohydrate Timing

Carbs are fuel, especially around training.

Pre-workout: 30–60g (1–2 hours prior)
Post-workout: 30–60g + protein (within 1–2 hours)

This replenishes glycogen, blunts cortisol, and enhances recovery.
It’s not “dirty.” It’s just useful.

3. Fat Timing

Fat slows digestion. That’s helpful during the day but not ideal around training.

Keep fat moderate pre-workout. Go higher-fat during lower-carb meals later in the day.

Fat: It’s less about timing, more about portion. Eating a high-fat meal before training can slow digestion and make some people feel sluggish. Experiment with your pre-workout meals to find what feels best.

Generally: moderate fat at main meals, lower fat pre/post-workout.

Example Timing Strategy (Strength Training Day)

When I started having a balanced meal within 90 minutes of training, my recovery and afternoon energy noticeably improved.

8:00 AM: 3 eggs, oats, berries (protein + carbs + fat)
12:00 PM: Chicken, veggies, avocado (protein + carbs + fat)
3:00 PM: Pre-workout shake 1 scoop whey + 50g carbs from a fruit source
5:00 PM: Train
6:30 PM: Post-workout, beef and sweet potato + Kerry gold butter (protein + carbs + fat)
730/8 PM: Greek yogurt + whey or casein and a handful of nuts

Total protein: ~180-200g
Balanced carbs, front-loaded around training
Fats used to stabilize energy later

Action Challenge:

Pick one meal to move closer to your training time and one post-workout meal to optimize.

Your goal:

Protein: 30g
Carbs: 30–50g
Minimal fat
Eaten within 1–2 hours of finishing your workout

Coach’s Corner:

Don’t try to “hack” your metabolism with clever meal timing.
Build rhythm that supports your output.
Use timing to reduce stress, not increase it.

Key Takeaway:

Nutrient timing isn’t magic; it’s just another way to support what matters most: consistency and recovery.

Timing isn’t a rulebook. It’s a framework. Daily totals matter most, but if you train hard, timing helps you show up stronger, recover faster, and stay more consistent.

Next Week: The Carbohydrate Question

Once your daily intake is dialed in and you start thinking about timing, the next question always comes up:

“Do carbs still matter? Or should I be avoiding them?”

That’s where we’re headed next. In Week 4, we’ll break down the truth about carbs. Not hype. Not fear. Just what they actually do, and how to use them to train, recover, and function better in daily life.

Security Without Pessimism: Why “Just One Click” Can Still Break Everything

The Myth of the Harmless Click
It’s late on a Friday afternoon. You’ve taken back-to-back phone calls, your inbox is overflowing, and your caffeine is slowly but surely fading. Then comes one last email. It’s something from HR about a new hire policy update.

You click, skim, and move on.

Five minutes later, that “harmless” click starts a slow-motion domino fall. Credentials harvested, tokens stolen, access expanding, all before you’ve even closed your laptop.

People think, “It was just one click.”
That’s the point. It only ever takes one.

The Domino Effect
Here’s what happens after that moment most people never see.

That fake login page doesn’t just steal your password, it grabs your session cookies, mimics your device fingerprint, and jumps the line of trust. Suddenly, it’s you logging in from a new location, sending a file, approving an invoice.

Once inside, attackers don’t move fast. They move quietly. They study your company like a playbook, structure, tone, and approval chains. The next email they send looks even more real because it’s built with your real data.

By the time anyone notices, the damage has often been done for days.

But why do we fall for it? The answer isn’t carelessness—it’s psychology.

The Psychology of the Click
No one falls for this because they’re careless. They fall because they’re human.

Attackers know when we don’t double-check: near quitting time, maybe when you’re experiencing that post-lunch carb crash, or when you’re in a rush to make that 9am meeting. All of those moments when we see what we expect to see. They don’t need to hack your brain, they simply nudge it the right way.

Speed, familiarity, and trust are their sharpest weapons, which is why “training” alone doesn’t solve the problem. Awareness isn’t a habit. The mind knows better, but the hand clicks first.

How Attackers Exploit Normalcy
Modern phishing doesn’t seem sketchy; it seems routine.

They copy internal phrasing, familiar names, work to perfect internal branding. The trick isn’t panic anymore, it’s comfort and familiarity.

Common triggers:

“Quick update before the weekend.”
“Need approval by end of day” or “close of business.”
“Can you confirm this invoice?”

Nothing dramatic. That’s the point. The hook isn’t fear, it’s familiarity.

How to Build a Click Buffer
You can’t eliminate every threat, but you can slow the chain reaction.

Build a Click Buffer. Think of it as a two-second pause that keeps good habits automatic:

Hover before you click. Make it reflex.
Check the sender domain. If it looks almost right, it’s wrong.
Stop treating “urgent” as a priority. Urgency is a tactic, not truth.
Ask IT. They’d rather you check 100 false alarms than clean up one breach.

A brief pause can equal a big payoff. Security starts with seconds, not software.

Culture Over Blame
Here’s where most companies stumble: they turn mistakes into shame. Someone clicks a bad link, and suddenly they’re the subject of the next slide in “staff security awareness training.”

That doesn’t build security, it builds silence.

A healthy culture rewards curiosity. If people feel safe saying, “Hey, I think I messed up,” the damage stops faster, every time.

You can’t stop every click. However, you can build a team that identifies, shares, and learns from mistakes before they spiral out of control.

Final Thought
The real security upgrade isn’t another tool or rule to apply, it’s simply learning to breathe and take a little extra time to pause before you click.

One breath before the click. One second to hover over the link.
One habit that keeps the rest intact.
That’s not fearmongering.
That’s just good hygiene.

If you found this helpful, please share it with your team or reflect on your own scanning and clicking habits. Security is a team effort and every small pause makes a difference.

The 5 Biggest Meal Prep Myths and What Actually Works for Real People

Meal prep gets talked about so much these days, you’d swear it’s a personality trait. It’s always rigid, joyless, and maybe just a little smug. But the truth is, prepping food isn’t about discipline for its own sake. It’s about simplifying the week so you can think less about logistics, saving money, and staving off adverse health effects, and more about living your life.

While you’ll often see phrases like “may help” or “might improve” online, real data and everyday experience show what actually works. Here’s what makes a real difference for people like us.

Myth #1: “Meal prep means eating the same thing every day.”

Reality: Meal prep doesn’t mean you have to eat chicken and rice every day until you’re sick of them. The real goal is to make healthy choices easy and convenient.

Try prepping ingredients instead of full meals. Grill or roast some proteins, cook a few types of carbs, and chop up veggies. Then, mix and match them throughout the week—maybe smoked salmon over greens one day, steak and rice another, or yogurt with fruit when you need something quick.

What “the science” says: Research from the International Journal of Behavioral Nutrition and Physical Activity found that people who plan their meals tend to have more diverse diets — not less. It’s the planning that makes variety possible, not spontaneity.

Myth #2: “Prepping takes too much time.”

Reality: Spending a few hours on Sunday or Saturday can save you from stressful evenings all week. Even just washing produce, boiling rice, or portioning fruit ahead of time can make your weekdays much easier.
And it’s not just about time. People who spend even 30–60 minutes a day preparing food eat more vegetables and fruit (University of Washington research, 2014).

The time’s going somewhere either way, you can spend it prepping intentionally, or you can spend it waiting in drive-thrus.

Myth #3: “Meal prep is only for people trying to lose weight.”

Reality: That idea is just a marketing myth. Meal prep isn’t only for losing weight. It helps you avoid making poor choices when you’re hungry and supports your long-term health.

Sure, portion control helps. But more importantly, prep stabilizes your energy and makes fueling performance automatic. Whether you’re lifting, coding, or commuting, your brain and body both need steady inputs.

Home-prepped meals consistently come in lower in sodium and saturated fat, not because they’re “diet food,” but because you’re in charge of the ingredients.

You’re not dieting; you’re planning to succeed, not to fail. When in doubt, always rely on PPP, proper prior planning, and it’ll save you in countless scenarios.

Myth #4: “It’s cheaper to just grab takeout.”

Reality: The numbers don’t lie. Data from the American Journal of Preventive Medicine shows that people who cook at home spend significantly less on food than those who eat out. Prepping helps you shop with purpose, so you buy only what you need. You waste less food and make your ingredients go further.

Pro tip: Using convenience items still counts as meal prep. Things like pre-washed greens, frozen veggies, frozen fruits, or rotisserie chicken can make things easier. Being efficient is smart, not cheating.

Myth #5: “Healthy meal prep means going ‘Paleo,’ ‘keto,’ or you’re “cutting carbs.”

Reality: Restrictive eating styles burn people out. The goal is consistency, not purity. You don’t have to eliminate carbs, especially if you train. Always remember, persistence over perfection.

Your brain and body work best with carbs. Foods like fruits, vegetables, potatoes, and white rice help you perform and recover, especially if you’re working out.

Coach’s Note: We eat well today for optimal performance tomorrow. — **Coach’s Note:**
We eat well today for optimal performance tomorrow.

Whether your training is on the mats, in the gym, or at your desk, food is fuel, not a moral test.

The Bottom Line

Meal prep isn’t about being perfect, it’s about being consistent. It’s a simple way to get back your energy, time, and control in a world full of distractions. Eat well, keep your plans simple, and stick with what works.

Progress comes from following through, not from always trying something new.

The Art of Cyberwar | Part I | The Illusion of Truth

The principle:
All warfare is based on deception. —Sun Tzu

In warfare, there’s a certain irony in how often truth becomes a casualty before the first shot is ever fired. As an American, that line from The Art of War has always carried extra weight. Our history is full of moments when deception wasn’t just a tactic on the battlefield; it was the spark that lit the fuse.

From the smoke and mirrors of the Spanish-American War to the Gulf of Tonkin and the blurred motives of the Gulf Wars and the Global War on Terrorism, we’ve seen how perception shapes permission. Wars don’t always start because one side is stronger; they start because one story feels true enough to believe.

And since “All warfare is based on deception,” Sun Tzu went on to say:

When you’re able to attack, you must appear unable. When using our forces, we must seem inactive. When we are near, we must make the enemy believe we are far away. When we’re far away, we must make him believe we are nearby.

We must hold out bait to entice the enemy and then crush him. If he is superior in strength, evade him. If your opponent is overconfident in nature, seek to provoke him. Pretend to be weak, so that he may grow arrogant and attack when he otherwise wouldn’t. Attack him where he is unprepared, appear where you are not expected. If he is trying to take rest and recover, give him no rest. If his forces are united, divide them.

The general who loses a battle has made only a few calculations beforehand. Thus, many calculations lead to victory, and making only a few calculations ensures defeat. By paying attention to these points, I can foresee who is likely to win or lose.

Deception as Strategy

The principles articulated by Sun Tzu extend beyond the battlefield to broader strategic contexts. His observations highlight the value of misdirection for leaders and strategists. The objective is not to create disorder, but to control perception and attention. In both conventional warfare and digital security, success frequently depends on understanding the adversary’s perception of reality. This principle underpins the effectiveness and prevalence of social engineering tactics.

Contemporary deception strategies have shifted focus from traditional military maneuvers to achieving information dominance. Modern tools include manipulated narratives, deepfakes, phishing campaigns, propaganda, and misinformation. These methods target cognitive processes rather than physical harm. Once individuals accept misinformation as truth, further manipulation becomes significantly easier. The Committee on Public Information, the United States’ World War I propaganda agency, exemplifies institutionalized information control.

Cybersecurity’s Ethical Deception

In cybersecurity, deception is employed with the intent to enhance defense mechanisms. Techniques such as honeypots attract attackers, sandbox environments facilitate malware analysis, and red team exercises simulate adversarial tactics to maintain robust security postures.

In this context, deception functions as a defensive measure rather than an offensive tool. It is utilized to identify vulnerabilities rather than to exploit them. The underlying principle that can mislead a nation may, when applied ethically, serve to protect it. The distinction lies in the intent: defense and awareness as opposed to manipulation and illusion.

Both approaches depend on psychological insight and require strategic foresight. However, only defensive deception is fundamentally grounded in ethical integrity.

The Martial Mirror

Martial artists understand deception in its purest, most physical form. A feint isn’t a lie, it’s a question. In Wing Chun, they’re called “asking hands.” You draw your opponent’s attention, focus and/or movement one way to reveal where they’re vulnerable. The best fighters aren’t those who hide, but those who read intent faster than it’s shown. It’s why attacks on the halfbeat are so effective. But, that’s a lesson for another time.

Cybersecurity employs similar principles. Confrontation is not always optimal; instead, threats are redirected, absorbed, or neutralized preemptively. The discipline emphasizes anticipating patterns before they fully emerge, rather than merely reacting. This approach is often described as the art of fighting without fighting.

The Modern Maxim

“Deception reveals more than it hides, it shows what we most want others to believe.”

In this context, each act of deception simultaneously reveals underlying motives, strategies, and tactics.

For those responsible for safeguarding systems, individuals, or factual accuracy, the task often begins where clarity diminishes. The primary challenge is not to eliminate deception entirely, but to recognize and understand it without compromising ethical standards.

The initial action in any conflict, whether digital, physical, or psychological, is seldom a direct attack; it is often the creation of a narrative to tell. The essential responsibility is to accurately identify threats based on objective analysis, rather than relying solely on presented information. Illustrating the everlasting importance of learning the principle of this story: All warfare is based on deception.

Forty Point Two

3, 2, 1 get some!

Five weeks ago, I pulled a 41.3-second 250 meter row. Today, I hit 40.2. Just over a second faster.

Most wouldn’t notice the difference, but if you’ve ever chased improvement in anything, lifting, rowing, writing, or career-related, you know what that second really means.

It’s not one test. It’s everything between the test and the retest.

Early mornings. Late nights. Lifting after focusing on a screen all day, securing cloud configs, writing incident reports, and drafting security policies. Endless meetings, collaborating with stakeholders, or staying disciplined enough to meal prep when convenience is whispering your name.

The first test showed where I was. The weeks that followed demonstrated what I was willing to do to get a little bit better every day.

That one second didn’t come from luck. It came from honesty. From taking stock of where my form slipped when fatigue hit, where breathing got shallow, where my leg drive gave too early, and where comfort started whispering, “Hey man, you’ve done enough.”

It came from the same place real growth always hides: the re-tests, not the first runs. Every domain follows the same law: test, learn, refine, retest. That’s how systems harden. That’s how people do, too.

The next time you test something, whether it’s a lift, a sprint, IAM permissions, or a personal limit, remember this: progress rarely looks dramatic as it happens. It might seem minor, but the one second I cut over five weeks shows the value of steady effort. Others might have said, “Hey man, that 41.3 is pretty damn good for a man your age.” For me, that will never be enough.

What “the science” says:

Power output was 673 Watts
VO2 Max is 68.5 ml/kg/min
Faster than 95% of male rowers your age
89% faster than all male rowers

No matter what, 41.3 → 40.2 is proof that attention to detail and small improvements over time are earned, never issued, and that’s the real story.

Strength & Resilience: Why Chaos Is the Real Teacher

henry rollins matt shannon cloud security — The Iron Never Lies — Henry Rollins

High-intensity training is humbling. Fatigue strips away polish and shows where your skills really break down. As the old saying goes, “the iron never lies,” and neither does the clock. Chaos reveals the gaps.

We like to think we’re smooth and calm under pressure, until that pressure arrives. The same principle applies whether you’re under a heavy barbell, in the final round of a sparring session, or defending a network: stress exposes your true level of expertise.

In a breach, system failure, or when your team runs on caffeine and instinct, you see what you practiced well and where things collapse.

Here’s why training under ideal conditions often lets us down, and why we must look beyond comfort:

How to Train for Chaos
* Red-team drills. Simulate unexpected, worst-case attacks, not the ones you anticipate.
* Tabletop exercises. Practice response under a running clock; short timeframes sharpen decisions.
* Fatigue training. Follow the playbook while tired, short-staffed, or distracted because reality won’t wait or be kind.

Training in perfect conditions makes you comfortable, but it doesn’t make you stronger. You build real resilience when things get tough and you keep going anyway. Always strive to step out of your comfort zone.

The goal isn’t perfection but adapting to exposure, building composure, and staying focused when plans collapse.

The Martial Parallel

Sparring isn’t about perfect technique; it’s about applying skills under unpredictable pressure. You rarely win every round, but you improve because chaos clarifies. If you win every round, find new partners! Progress demands resistance.

In cybersecurity, the same holds true. Incidents are sparring. They test you, which can be painful, but they can also be educational. You learn to breathe, recognize patterns more quickly, react decisively, and stay calm when alarms go off.

Real strength isn’t proven in stillness; it’s proven in motion.
Resilience is forged where control slips away.

Overreach Is the Enemy of Resilience

History shows that the biggest threats to national security, safety, and sovereignty usually come from within. Empires, and leaders, often fail not because they are weak, but because they try to do too much, too quickly, and often end up heading in the wrong direction.

The Yalta Conference in February 1945 brought together Churchill, Roosevelt, and Stalin in an alliance of necessity. Few in the 1930s could have imagined democratic America and Britain siding with Stalin’s Soviet Union; yet necessity led to a partnership with lasting consequences.

The alliance beat Nazi Germany, but it also allowed the Soviet Union to spread into Eastern Europe, which led to the Cold War. The key takeaway: short-term use of power without considering long-term impact can resolve immediate issues but create new, lasting problems.

The same risks are present in cloud security today. Trying to do too much still undermines resilience.

Why Overreach Happens

Overreach is a common trap. If having some power is good, it’s easy to think that having more is better. In cybersecurity, this often happens because of:

Fear of falling behind leads teams to adopt new tools without a clear strategy.
Vendor pressure, with marketing insisting, “If you don’t have this, you’re insecure.”
Internal signaling, where having numerous tools initially appears impressive, but problems soon emerge.

Historical Lessons: The Cost of Overreach

Germany in WWII: Too Much, Too Fast

Germany under Hitler is a classic example of overreach. In 1941, the Nazis invaded the Soviet Union. Initially, their advance was rapid, and they gained significant territory. However, German forces became overstretched, supplies dwindled, winter conditions set in, and the supply lines became unmanageable. What appeared to be a demonstration of power ultimately contributed to their downfall.

Lesson: Expansion without capacity undermines itself.

Japan: Provoking Too Many Enemies

Japan’s decision to attack Pearl Harbor in 1941 reflected a similar flaw. In pursuit of empire across Asia, Japan provoked a much larger adversary: the United States. Instead of consolidating its position, this overreach led to a conflict Japan could not sustain. Lesson: Overreaching creates adversaries you can’t manage.

The Allies: Yalta’s Unintended Consequences

Even the victors faced challenges. The Yalta alliance was necessary at the time, but also carried significant risk. By permitting the Soviet Union to expand into Eastern Europe, the Allies set the stage for forty years of Cold War tension, arms races, and indirect conflicts. Gaining power in one region led to new risks elsewhere.

Lesson: Gains made without foresight can create future vulnerabilities.

The Cost of Overreach in Cloud Security

The same dynamics play out in modern cybersecurity:

Integration gaps: When you have too many tools, it’s like an army spread too thin—there are weak spots attackers can find.
Alert fatigue: More dashboards overwhelm teams, dulling response rather than sharpening it.
Diluted focus: Chasing new tools causes basics (IAM, logging, patching) to be neglected.

The main takeaway is that the paradox is that spending more and adding complexity often reduces resilience rather than strengthening it.

The Better Path: Discipline and Restraint

History points to a better approach. Resilience isn’t about growing without limits. It comes from balance, self-control, and getting the basics right.

For nations, that means understanding the limits of alliances and occupations. For cloud teams, it means:

Focusing on fewer, stronger tools that integrate smoothly.
Start by mastering the basics: IAM policies, patching cycles, logging, and monitoring. These may not be exciting, but they are essential.
Resisting the urge to sprawl. Don’t buy tools or add features for the sake of appearances. Invest only where it truly adds resilience.

Closing Parallel

Yalta reminds us that even the strongest powers can make bargains that carry unintended consequences. Overreach may appear to be a sign of strength in the moment, but it often sows the seeds of weakness for the future.

In cloud security, the same is true. More tools don’t equal more safety. Complexity can backfire. Overreach creates vulnerabilities. The key lesson: resilience means mastering the essentials and exercising discipline, not doing more for the sake of it. This is as true in geopolitics as it is in cybersecurity.

Where have you seen overreach undermine resilience in your organization?

Want to dive deeper into the history and strategy behind these lessons? Here are some recommended reads:

The Origins of The Second World War, by A.J.P. Taylor
Depression, War, and Cold War: Studies in Political Economy, by Robert Higgs
Churchill, Hitler, and “The Unnecessary War”: How Britain Lost Its Empire and the West Lost the World, by Patrick J. Buchanan
The New Dealers’ War: Franklin D. Roosevelt and the War Within World War II, by Thomas Fleming
The War That Ended Peace: The Road to 1914, by Margaret MacMillan
Paris 1919: Six Months That Changed the World, by Margaret MacMillan

Progress Isn’t Linear, in Martial Arts or Cybersecurity

Progress isn’t linear. Martial artists learn this the hard way. One day you nail a three punch combo finished with a clavicle crushing elbow; the next, you stumble over the same movement combination you were hitting regularly just a couple days before. Some weeks, you level up quickly, while others days you’ll hit stumbling blocks. Always approach your wins and losses with the same humility.

Cybersecurity follows the same rhythm. Just as martial artists face setbacks, security professionals experience their own ups and downs. You patch systems, close vulnerabilities, and tighten configurations. Then a new zero-day vulnerability emerges, or an audit reveals previously unaddressed blind spots. It feels like sliding backward.

That slide isn’t a failure, it’s where progress truly forms.

The Myth of Linear Progress

We often imagine progress as, although slow, always moving upward. Reality is less predictable.

Perfection Bias
We assume improvement should always feel smooth. However, mastery, in both martial arts and cybersecurity, is a jagged path. The dips are where the depth develops.
The Comparison Trap
We see others’ highlight reels, the black belt breaking boards, or the company posting its “zero vulnerabilities” report, and mistake it for constant progress. Behind every clean result lies a mess of mistakes, patches, and failed tests.
Forgetting That Setbacks Build Strength
Regression often signals deeper adaptation in progress. In training, it’s when you refine mechanics. In security, it’s when you reinforce foundations.

Why Steps Back Matter

Plateaus and regressions aren’t detours; they’re checkpoints. They test persistence. Anyone can stay motivated when everything goes as planned; resilience forms when it doesn’t.

They reveal gaps in fundamentals. A failed pen test or misconfigured IAM or conditional access policy highlights what needs real attention. They build humility and precision. Overconfidence blinds; setbacks sharpen focus.

On the mats and in the SOC, mastery isn’t about avoiding mistakes, it’s about learning faster from them.

The Cybersecurity Parallel

You don’t know what you don’t know so every incident teaches you something you didn’t know you needed to learn. Every vulnerability scan reveals details you may have overlooked. It isn’t failure. It’s your system adapting, like a martial artist’s mind & body.

A martial artist doesn’t quit after a rough sparring session. They analyze what went wrong, refine their techniques, and return smarter & stronger. Security teams should do the same. A missed vulnerability isn’t a defeat; it’s a mirror. It can show you where your technique slipped & where to tighten your counter-offensive skills.

From the Mats to the Data Center

Both disciplines thrive on discipline, reflection, and repitition:

Training drills = Routine audits. Each repetition builds muscle memory for fighters and for security teams.

Pad work and shadow boxing = Playbooks and runbooks. Practicing in controlled settings builds confidence under pressure.

Sparring = Incident Response sims. You can’t simulate chaos perfectly, but you can train to be calm, and respond correctly, in chaos. That’s why you just keep training and doing reps over and over because each time your partner responds differently but you’re learning to respond with the correct technique every time.

Every repetition, every submission attempt, every punch, every kick, or incident response builds competence and confidence. Every CVE update, OWASP update or vulnerability scan creates visibility and awareness.

The Real Skill of a Black Belt: The Ability to Adapt and Overcome

In martial arts, the belt color doesn’t make you untouchable; it signifies you’ve learned and adapted more than others. In cybersecurity, it’s the same. The strongest organizations aren’t flawless; they’re mobile, agile and when necessary, hostile.

Adaptation beats perfection. Reflection beats reaction. Resilience beats your comfort zone. So the next time your scan lights up with new vulnerabilities or your red team exposes a blind spot, don’t get discouraged. It’s just another training session.

Final Thought

Progress, whether in close range combat or in your code, isn’t about avoiding setbacks. It’s about showing up again after them. The real win isn’t being unbreakable, it’s being unshakable.

Keep patching. Keep learning. Keep moving. Progress isn’t linear, but staying adaptive always drives you forward. Or, as it was once famously said, “Be water my friend.”

Cloud Security and Meal Prep: The Routine That Saves You When It Counts

Whether you’re a cloud engineer, a school IT lead, or just someone juggling a lot of responsibilities, you know routines matter. Here’s how a few simple habits, both in the kitchen and in the cloud, can make all the difference when things get hectic.

Meal prep can feel like a grind: chopping, portioning, stacking containers into neat rows. Yet when a demanding week hits, that fridge full of ready-made meals is your quiet victory. It’s proof that routine pays off when pressure arrives.

Vulnerability scanning and patching works similarly. It’s repetitive, rarely celebrated, and usually annoying. But consistency is what saves you during mission-critical moments, when vulnerabilities surface or threat actors strike.

The Problem with Patching

Patching never ends. There’s always another round of updates, another CVE, another “critical” bulletin. The challenge isn’t just time, it’s motivation.

It’s endless. You finish one cycle only to start another.
It’s invisible. No one notices the breach that never happened.
It’s easy to delay. “We’ll patch later” often becomes “we wish we had.”

In cloud environments, the pace is faster. Systems scale dynamically, microservices update constantly, and the attack surface grows by the minute. Skipping one patch cycle is like skipping a week of prep: you won’t feel it right away, but the fallout is inevitable.

The Solution: Treat It Like Meal Prep

The way through is rhythm and habit, small, consistent actions that compound into resilience.

Automate Where Possible
Just like batch cooking, automation saves time and reduces errors. Use tools like AWS Systems Manager Patch Manager, Azure Update Management, or Google Cloud OS Config to deploy updates automatically across fleets. Automate notifications and reporting as well, so visibility remains high without incurring manual overhead.

Pro tip: If you’re new to automation, start small by piloting auto-patching in a test environment before rolling it out everywhere.

Schedule Cycles and Stick to Them
Create predictable patch windows: weekly for endpoints, monthly for servers, rolling updates for cloud workloads. Align these cycles with CI/CD pipelines to ensure updates integrate seamlessly with development. Repetition builds trust in the process and limits downtime surprises.

Make It a Habit
The goal isn’t to be a hero, but to be consistent. Prep your meals each week, patch your systems on schedule, and review your process every month. Eventually, these steps just become part of your routine.

The Payoff: Prepared Beats Panicked

When a zero-day hits, the teams that patch regularly move smoothly through the chaos. Their systems are up to date, their dependencies are tracked, and their processes are tested. The rest scramble for emergency fixes while downtime bleeds into dollars.

Routine patching does more than fix vulnerabilities. It helps you stay calm when things get stressful. This steady discipline keeps your operations running smoothly, even when others are scrambling.

Final Thoughts

Security, like nutrition, doesn’t come from sudden bursts of inspiration. It comes from doing the same things regularly. The calm, controlled and protected environment you want later depends on the boring discipline you practice now.

Stay consistent, use automation thoughtfully, and patch your systems the way you meal prep: always ahead of time. This is how you keep both your systems and your peace of mind when things get tough.

Tag: makeithabitual