When I graduated from high school, I went off to study Engineering and Computer Science—the normal next step for a kid from a long line of scientists and engineers. Bob, my best friend since the age of two, decided to go to “Ringling Brothers Clown College.” Yes, that was a real thing; he ran off and joined the circus.

Clown College seemed unusual by any objective standard, even for those who wanted to study performance. The traditional next step would have been to go to acting school or enroll in a theatre program. Bob explicitly didn’t want to take the usual, incremental “next step.”

Instead, Bob decided to shake up the etch-a-sketch, and do something new. He brought with him the knowledge from previous experiences, but none of the baggage from when one follows the well-worn path.

Constant Change

After a distinguished circus career, he changed again and started a magic shop. After that, he became a full time magician, and then started a karate school. Each time he succeeded, learned what he could, and then did something completely new.

I realized that he was able to start over because he could afford to take the risk. Each time, Bob had enough prior success to cover his downside should things not go well and enough self-confidence to try a new pursuit. He would get to learn something new and apply those skills in later endeavors.

Each time Bob traded a job in which he had “picked all of the low-hanging fruit” - in which incremental success would come slower and with greater effort - for one in which he could more rapidly deliver value. In essence, he swapped a tree with no low hanging fruit for an entirely new orchard!

My Journey

I’ve tried to do something similar. Since leaving IBM many years ago, I’ve been the CEO of three startups. I’ve also been the CTO of two public companies and the CMO of a third. When I’ve contributed what I can, and begin to get too comfortable, I offer my thanks and find something entirely new to do.

This happened most recently when I was CTO of TD Ameritrade. It’s a great company with fantastic prospects. After four years, my team had achieved their objectives and had shifted focus to new platforms, emerging technologies, and reducing technical debt.

It was fun, but the period of rapid gains through thoughtfully designed innovation practices, risk mitigation, throughput, and efficiency had leveled off. There is always more that can be done, and things to be improved, but we had picked the low hanging fruit. It was time to start thinking about my next circus.

I agreed to stay two more years to help meet some new objectives. After six years, I left TD Ameritrade and started a cyber security incubator and build studio; a company that creates start-up companies.

My New Circus

Start-ups seem to have a lot in common with a circus; an overwhelming frenzy of activity, risk-taking excitement, fun, and a ringleader (I’ll skip comparisons involving clowns and animals). Start-ups are an opportunity to completely commit to an idea and see it through for clients.

They are high risk, high return because you are working without a safety net…but in exchange they offer the freedom to execute with levels of agility that larger firms generally can’t match. Large firms have horsepower, but startups have Formula 1 race car steering. An incubator building multiple start-ups is like a three-ring circus: one ringleader, common infrastructure, and three times the chaos!

Why cyber security? Cyber is one of the few areas of risk management that isn’t random. Motivated attackers have a specific purpose, and continuously evolve their methods. I like to say that “we only play defense against people who only play offense,” so defenders have to out-evolve attackers.

I recently gave a talk at the Wall Street Technology Association’s Cyber Security conference, in which I explained that the key to winning as a defender is to not play the same game as your adversary. You can’t win a game in which you only defensively react - you can only defer losing.

Staying Ahead

Instead, we must predict emerging capabilities that attackers will acquire, and create entirely new defense methods first. When data breaches reveal secret information that let bad actors compromise client authentication and take over accounts, we need to flip the model; we need to authorize client activity instead of trying to incrementally improving authentication.

When faster computers can break the encryption on stolen files, we need to find new ways to protect data by making it impossible to find and steal instead of trying to incrementally strengthen encryption. When tens of millions of consumer devices can overload Denial of Service mitigation providers, we need to find ways to tell the Internet how to give preferential treatment to traffic we like instead of just adding capacity to our mitigation. Winning as a defender is about Changing The Model (CTM) so that attackers capabilities don’t apply.

Changing the Model

I started my incubator, CTM Insights, to invest in solving problems like these. We collaborated with Akamai, Google, Comcast and others to create a solution for adding trust to the Internet. We recently launched our first company, The Authoriti Network, that allows consumers to authorize high-risk activity (sharing data, transferring money, etc).

Authoriti changes the model from improving authentication to adding multi-factor authorization. And there is more to come.

What’s Bob up to now? He shook things up yet again and is now starting an acting career. His new circus will let him apply what he already knows about entertaining to a new discipline. I suspect he will rapidly succeed in a new orchard full of low-hanging fruit.