Do you remember the movie Defending Your Life? Early 1990s, starring Albert Brooks and Meryl Streep? A simple premise: when you die, you go to a place called Judgement City, where you must defend the decisions you made in life. Our SOC Manager Bryan Bonnell, who has been tolerating my quirky articles for at least a decade now, said he loved that movie. So it must be cool!

The movie opens with Albert Brooks’s character driving a brand-new BMW, happily fiddling with a CD, while navigating traffic. One small distraction later, he drives straight into a bus. That’s how he ends up in Judgement City — he fell into a state of unawareness.

Defending Your Life began the way my article, “The American Monkey Trap” almost ended. For those who missed it: “The American Monkey Trap” explored how we tolerate technology that doesn’t work, simply because it’s familiar. It was published in 2016, by the time we were understanding what social media was doing to our culture. The article addressed our technology addiction, ending with my warning about driving with cell phones, because while a car crash scene started Defending Your Life, a car crash scene almost ended my article.

Almost ended.

On a Thursday this month . . . July 24^th . . . we will celebrate the 25^th year since the founding of infotex.

And Stacey and my retirements.

As I look back on those twenty-five years, I am first and foremost grateful to people, starting with those who worked on the Hadaway Brothers Farm, and including the people I met at various college jobs like Herman Bellum, who taught by example that if you take care of those who elect you, everything else will fall into place.

Though my degree is in architecture, my career was writing philosophical declarations. I liked to declare things, from “Technology Kills” and “Post-Missilism Lives” in college, to “Watch what you want, when you want” in the 80’s. Early in my career I was published, just like my friend Tim Grzegorek, in national trade magazines about the video retail business. I’m grateful to Jacki Spilker, who sponsored my rise in the “greatest video store chain in the universe,” (another declaration), and to Mark Spilker, who taught that “the customer is omnipotent, all else comes second.”  He also taught me a thing or two about how to exit a business.  But I have spent the last 25 years of my life asking, “what would Mark and Jacki do?”

Because of Mark and Jacki, I’ve been lucky to know the likes of amazing network engineers like Jason Rubsam, Glenn Miser and Dennis Baker, and software engineers like Eric Gentry, Marc Blair, and Roger Kron. They benefited from “users” like Tim Grzegorek, Howard Griggs, Ray Klinker, Angie Rooz and Kent Corbin. They were all there, when I met Stacey at the Videoland Business Office, whose sign I still have in my yard.

I am extremely grateful for my “one big failure” in life, Karma Music & Video, which taught me that there is power in impotence, and that “being willing to be wrong” can cost a lot of money. But I made some great friends anyway. Larry and Carrie, Drew and Jerry, Carlos and Reggie, Cheryl and Jason – if you ever look me up, this paragraph is for you! And it was there, in that little record store, that I befriended Michael Kelsey, the “local artist” who will lead us through the infotex jam.

I also met my friend, Joe Cychosz, while there. Joe introduced me to Jessica Bussert, who taught me how to sell. I talked her into considering Systems Design and Analysis as a service, then she let me provide that service. I owe so much gratitude to the people I met then – Jeff Brambora, Matt Jonkman, Dan Smith, and Tim Fuller. And Josh and Sharon, of course. And Jessica.

And then I talked three CPAs – Chuck Bucheri, Greg McCarty, and Ron Metz, into letting me start a technology company . . . whose name was short for information architects . . . that would end up teaching the art of cybersecurity to community banks in Indiana, Ohio, Illinois and Kentucky.  We are so grateful to the various consultants and paraprofessionals they rented us from time to time. Ron declared “take care of the Client, all else takes care of itself,” and he was right. I also learned the art of auditing and consulting from them, their team, and their Clients, like Ray and Scot, our first Clients!

But I am also grateful to the very notion of being a “small business owner.” I get to write long articles like this one, and teach amazing people to run companies. Michael Hartke’s been running infotex for about three years now, and it’s amazing to watch everybody grow. He writes about our 25^th anniversary, and I’m loving the vision he lays out.

But because I am an owner of the company, I get to write articles with titles like “Never Say Never, a Password Manifesto,” “I as InTelligence,” “Sharpen Your Saw,” “The Trolley Problem,” “The Magnificent Seven,” and “R7”. And use word play with those titles, like “How to Review a SOC-1 or Too” . . . where I just noticed somebody on our team changed the title (again) back to How to Review a SOC-1 or Two.  Arrrgh!  But at least they’re doing their job!

Or the title of this article – “Banana Trap Too.”

I get to make up words. “Vigilize.”

I made up words from the beginning.  Videoland saw “Used Preorders,” “Pychotronic,” and “Video Outdex,” not to mention “Secopa Caterpillar,” a term I used in my talks about productivity, and took into my leadership years at infotex, until Michael Hartke helped me realize the name of the caterpillar I could not remember was “Processionary Caterpillar.”  Great bit of research by Michael there, and that was before ChatGPT!

To the chagrin of certain regulators, I get to refer to a certain company as “The Ransomware Company,” in our vendor management program.

I get to make up, and make everybody use, phrases like “Enlighten, not frighten” and “Awareness is 9/11’s of the Battle” or “The Five Precepts of Vendor Management” or “The Four Agreements of a Well Cybered Contract.”

I get to moderate conferences as pirates and cowboys, and play the guitar and harmonica during talks.

I get to use my daughter’s cartoon artwork in my talks, culminating in Joe and Jane and our cast of bank characters.  What Jacki started as a third grader became a part of our brand, and we bring Joe and Jane ISO and a cast of cartoon characters, including me, into all of our talks.

Though I wanted to be a band director or a writer as a child, I took my architecture degree into the video business instead. But as the business owner, I integrated music and writing into almost everything we do at infotex. “The Risk Assessment Song” is our most viewed educational video. Our customer appreciation event is called the infotex jam. The music behind our movies is by yours-truly.

I call myself a CyberPoet.

And declare things like “Client is a proper noun, and thus infotex should not be capitalized.)

And I write this blog.  One of the loves of my life.  When my children, Dani and Jacki, refer to infotex as “the third child,” they don’t know about the fourth child: Dan’s New Leaf.

Of the 400+ articles I wrote in the past 25 years, I am most proud of “The American Monkey Trap.” Or heck, since I own the company, LOL, let’s use AMT for short! (And use LOL in my articles!)

AMT may not be my most popular article, which by far is the Password Manifesto, reprinted by real magazines, and duplicated in policy by Microsoft, about ten years later! The AMT is also not my “best” article . . . from a crafts perspective, not philosophical. I’d say that was the CATO article that was printed in the ABA’s Compliance Magazine, which I only have in hard-copy in a box somewhere.

I actually landed a second article for that magazine, where I was supposed to collaborate with somebody. As a retiring control freak, I’m now wise enough to admit that collaboration never came easy to me, because (I think) it was hard to stay focused on the Client. That all changed when we met Eric Kroeger of Virtual Innovation. We gravitated to each other because we both believed that if you took care of the Client, everything else would fall into place (just like Ron Metz preached). And this happened right when Bedel Security was getting started, and right when we were starting to approach the Ohio market.

In that short window of time called 2015, we established three of the greatest collaborations in my career. Eric Kroeger, Chris Bedel, and Jon Waldman have taught us so much, we really appreciate them as partners.

As Adam Reynolds will tell you, in his matter-of-fact auditor tone, “Dan writes a wide variety of articles.”

Technical articles and compliance articles and how-to articles. Articles meant to sell Clients on new controls and articles meant to squeeze additional value out of stupid controls (data flow diagrams in a bank??)

And yes, rants!

We would not have founded an open-source clearinghouse for snort signatures . . . bleedingsnort.com . . . without the drive and vision of Matt Jonkman, who came to us when we bought Paradigm Shift Security. And we lost Matt to bleedingsnort.com, for good reasons, as he was able to talk federal agencies, and other such powerful forces, into taking it “big time”. It became bleedingedge.com, then emergingthreats.com.  And we still get our sigs for free!

And while Matt Jonkman was writing signatures, I was writing policies and articles to explain those policies. While TJ Deckard was showing us big data tactics, I was philosophizing about the subprocesses of awareness training. Bank trade magazines needed articles about security, and we needed to learn about the amazing industry. Thank you, bank associations, and the likes of Joe Dehaven, Laurie Rees, Michelle Crume and Susan Poling.

And then there was 04/01/2023 through 04/08/2024 . . . the year I wrote an article every week for 53 weeks. (Yes, 53! I had to go the 53^rd week because I cheated in week 22, and had ChatGPT summarize a long article. It was a metaphor, darn it!) Matt Jolley, our current CyberPoet, understands metaphors. His is Sisyphus . . . he has been pushing the article review and state-law inventory up the infotex blog hill, without complaint, for a decade now.

If you clicked on the link to The American Monkey Trap, you probably frowned, because it was written back in 2016, when we still wrote long articles. (Like this one.)  But some people read the whole thing. All 2,500 words! And a surprising number of people have since talked to me 

about the article, after the fact, confessing their own addiction to technology . . . their own brushes with death. Reflective and full of confessions, AMT was one of my first public rants, something I’ve since learned is appreciated by some of my readers.

So let me declare that this article . . . Banana Trap Too . . . an article about an article . . . is my own version of standing before the panel — Judgement City . . . not to defend my life, or even my career. Not even to defend the notion of writing an article about an article.

I write Monkey Trap Too to defend the most profound choice I made in my career.  And I made it without realizing how profound it was.  I made it on September 12^th, 2001, when I realized that . . .

When on 9/11/2001, we canceled a workshop on HIPAA Security, I noticed we were far more secure on 09/12 than we were on 09/10. And only one thing had happened: we became aware.

We became aware of the threats, of our vulnerabilities, of the impact severity and of the likelihood. Awareness alone had provided about 9/11’s of the security we enjoyed on September 12^th, 2001.

That was my profound choice. I built my work on the proposition that awareness served as the fundamental principle of information security.

But it wasn’t just a principle — it was a practice. A process. A cycle. A rhythm.

A way of being.

And over time, it became a praxis – when an idea stops being theory, and starts being a habit. It’s something I notice Michael Hartke pointing out. Most cybersecurity practices start as theories that we practitioners put into play. Sure, the whole world puts them into play at the same time . . . I not saying we invented IPS . . . we just realized that some of the signatures we were using in IDS were predictable, and said, “what if we put them on a sensor in front of the firewall.” A few years later, the big boys were calling that IPS.  We ran into this at Videoland – we invented used preorders, not Blockbuster.

You might have wondered, “Nine eleven? Why didn’t Dan write about the day we started infotex as his big day?”

Though 07/24/2000 was an important day . . . I mean, I’m writing this really long article because of it . . . the decision to start infotex was more Stacey’s achievement, than mine. She didn’t care how much we made back then, as long as I liked my job. So I turned down a six figure offer to start infotex.

It actually wasn’t until Stacey helped us buy out my three CPA partners (thanks to risk mitigation the Small Business Administration) that she started holding our feet to the fire, thank goodness.  My partners actually sold the company to somebody else, but Stacey said “that’s already happened to you once in your career,” went into action, and we wrangled that back.  That was when we met Eddie Pluhar, the accountant who was patient enough to teach me how to read a balance sheet.

Then Stacey saw the books.  And she put her foot down.  That was when we started showing a profit, and growing that profit. For that, we are all very grateful!

So while Stacey was making sure we could make payroll, and while Sean Waugh was developing network configuration audits, and Jason Rubsam was holding our infrastructure together with “duct tapes and rubber bands,” as he would say, I was preaching the nontechnical control of awareness training. I would find myself hiding under board-room tables, as we tried to sell people on the importance of awareness training with social engineering services. To illustrate how easy it was to coax information out of unaware bankers, we invented pretext calling, first developed by my friend, Bill Arnold, who taught much more than social engineering.  In fact, Bill has a degree in philosophy and a masters degree in artificial intelligence, so how could he NOT evolve into my favorite breakfast friend!

Do I have to defend my decision to carry the banner of awareness now?  No. We succeeded!  Awareness is an accepted subsystem of information security.  But in the beginning, I defended awareness . . . again and again and again.

“Awareness is not optional,” I would say. “Awareness is the battle. Awareness greases the machinery of safety.  It turns frighten to enlighten.”

“Awareness is 9/11’s of the battle” became the motto of the CyberPoet. The first 9/11 of managing risk, of protecting people and organizations, is awareness.

Then the younger people became too young to remember what it was like, the day after September 11th.

Antithetical to awareness was the rise of social media, sold as a way for us to be more aware.

“The American Monkey Trap” bemoaned technology’s hypnotic effect on us. By the time I wrote it, in 2016, social media had destroyed data integrity. We complained incessantly about our technology, allowed it to create unnecessary risks, and yet we continued to use it.

Were we aware that we were doing that?

You may remember the story of the “Indian Monkey Trap.” The trap is simple: place a banana inside a box with a hole just large enough for the monkey to reach through — unless it has a banana in it. The monkey grabs the banana, but with its fist clenched around it, the hand can no longer fit back through the hole. The monkey is trapped — not by force, but by its unwillingness to let go.

The deeper truth: the monkey isn’t really trapped by the box. It’s trapped by its lack of awareness. If it could pause long enough to see the bigger picture — to realize that this banana is bait, part of a trap — it would simply let go, and free itself. No heroics required.

Just awareness.

In my view, that’s the position we’re all in — with technology, with risk, with life. Whether we’re reaching for the latest AI tool, the newest IoT gadget, or our smartphone while driving, the question is always the same: are we aware of the trap?

When I first wrote “The American Monkey Trap”, the metaphor seemed obvious: we often hold onto faulty, risky, or even broken technology simply because it’s familiar — and because we don’t realize we can just let go. 

Probably because it was also a confession.

I wrote AMT just a few years after my own hard lesson in letting go. Some of you know this story. (You read the article!) Years ago, I was driving on a familiar road — too familiar, in fact. I thought I could safely juggle a phone call while driving. One small distraction later, I ended up in a car accident. Like Albert Brooks’s character in “Defending Your Life,” I was unaware.

In that moment, I wasn’t seeing the trap.

And three people could have died.

What I didn’t write in that dark section, and I’m ready to now, is that as I sat in the car, heart racing, the first three things that came to my mind were: Stacey, Dani, and Jacki.

And then: Sean, Michael, and Chad.

SMaC is now 14 people, fourteen amazing people we now call, “The Team.”  To them, most thanks!

That experience changed my personal “Road Rules” forever. And now, with the evolution of in-car AI, digital dashboards, and all sorts of “helpful” technologies, it’s time to evolve the rule, too.

It’s different for everybody. You need your own rules. Your own Road Stack. (i.e. Security Stack)

The Road Stack starts with . . . as Jon Waldman would suggest . . . a risk assessment. Maybe a few questions: Do you participate in meetings while driving? Long trips or short trips? Do you realize it’s the short trips where most accidents occur? Do you rely on the “I’m Not Driving” control, or do you bypass it? Do you turn my phone to Do Not Disturb, or do you take calls? Do you initiate calls? When and where?

Personally, I don’t like answering calls. Even with my phone right in front of me. Not because answering the call will distract me, but because unplanned calls are rarely worth the risk (unless they are from Clients, of course).

I don’t certainly don’t reply to texts. I don’t even receive them.

I try REALLY HARD to avoid meetings while driving. But in the age of the American Monkey Trap, that is not always possible. My Road Stack is about accepting risk as much as avoiding or mitigating risk.

So I PULL OVER. Better yet: I time my trip so that I’m at the gas station when the meeting begins.

But I admit, sometimes I will keep the meeting going with my phone on the car mount that I still have. I mean let’s face it, I still end up behind schedule, like everyone else. lf you are not careful, pulling over raises as much risk as carefully answering a call or joining that meeting.

But this is important: when I violate my Road Stack: I AM AWARE OF THE RISK I AM TAKING. That’s why I have Road Rules. Awareness. It makes me more careful. And I have not ended up on the side of the road, like the almost end of “The American Monkey Trap.”

The Almost End.

What we do on the road mirrors what we must do in the rest of our digital lives. With AI, with IoT, with every glowing screen that tempts us — the first battle is the battle for awareness. It’s the same monkey trap. The banana just looks different.

Since I first wrote “The American Monkey Trap,” the bananas have literally gotten smarter — and in many cases, they’ve gone invisible. Today, one of the most pressing risks banks face, isn’t just bad tech, it’s unseen tech. Tools and services that creep in without formal vetting or visibility. We call this shadow IT, but now it has evolved into shadow AI and shadow IoT — artificial intelligence models and internet-connected devices introduced without proper oversight, configuration, or governance. And the trap? These tools often feel helpful. They solve a problem. They get adopted quietly. And by the time someone notices, it’s too late — the data’s already exposed, the system’s already compromised.

This is where awareness must scale. Not only in direction but also sophistication. It’s why I’m proud we will be offering rogue-application detection in our SIEM. It’s going to help our Clients find the bananas in their network.

And let go of them.

Personal awareness is one thing. But institutional awareness — awareness at the scale of a network, an enterprise, or a supply chain — requires tools. A way to measure risk, spot the shadows, and shed light on what we didn’t know we didn’t know.

Triguard has helped us detect rogue smart devices quietly added to office networks, and through the help of EDR we can identify unapproved AI tools lurking in browser extensions, and outbound data flows that didn’t belong. Triguard turned the invisible into the observable. It let us become aware — and then act.

Probably because of how important writing is to me, I ask people about my articles, to hear the good and bad about my blog.

Some look scared, and I’ve learned how to let them off the hook. I get it. Not all of us are readers, and those of us who are have to prioritize what we read, especially in the age of the monkey trap. My blog is a banana that some must let go.

Others reach out to me to say they like my work, and if I have time, I will engage with them. That’s how I became such close friends with Roger Chalkley. He and Larry Turner and Kenny Underhill have left this world, and I cannot end an article about my career without a tribute to how much I have learned from these three people.

Kenny Underhill, from Videoland, would always question my decisions . . . and everybody knows how much I loved him for it. Roger and Larry would always encourage me to write and speak and create. They loved my rants.

And you know, they’re the only two Clients I’m going to refer to in this post, because if I had to list the Clients I’m grateful for, I’d have to list them all.  We learn from every Client, and we are of course grateful for their business.  But Dennis Teague is no longer a Client, and he knows why I am grateful to him, above and beyond the lessons we learned from him while he was a Client.  He taught me one of the most important lessons of my life, when he encouraged me to reconcile with my Dad.  And thus, before he left us, my Dad finally realized what I did for a living and, realizing that I was helping the George Bailey’s compete with the Mr. Potters of this world, he was proud of me.

But a very small few of my readers have expressed concern about those rants . . . they worry I look at the proverbial old man yelling at clouds. And I am most grateful to them because they “bowdlerize” my work.

Gee: So not only does technology no longer have to work, but those of us who rant about it are seen as ____________ ??  I should probably make sure Nate Harrell is okay with whatever word I choose to end that sentence. Nate’s another teacher in my life, and he’s taught us all, using his own metaphors!  We even went to a workshop put on by an expert “from more than 50 miles away,” to tell us everything Nate had been telling us . . .

But I have to believe my readers come to my blog because they like my rants! If you are still reading this, you are one of those people. I am most grateful to you.

The main purpose of Dan’s New Leaf – awareness – manifested whether I was helping a bank respond to a new regulation, or an incident. Whether I was training staff on modem banks, phishing emails, or voice cloning.

Whether I was reviewing audit evidence, deploying a SIEM, or training the team to run the company . . . the real goal was always the same: help people become aware.

See the trap. Name the banana. And then, when it’s time . . .

Let go of the banana.

I’m even grateful for probably the worst article I wrote . . . answering a burning question in 2008. My article on what to do about people in the bank wanting to log into that new application, Facebook.

And guess what: social media wasn’t a passing fad.

I’m grateful because those who think AI is a buzzword, and not a risk, can heed my hard lesson!

“People” are writing and sending emails without even reading them. We’ve gone from not using our “car phones” to call Clients, for fear we’d “hang up on them”, to sending emails without even reading them. I mean, think of our Road Stack ten years from now. It won’t even be us who could become distracted.

Deep fakes are just the buzzword risk. The real risk is we don’t know how these neural networks work.

And the big boys are once again bolting it on, not building it in.

How addicted will we become to their next generation cyber-opium? Are we as a culture holding onto an inevitable banana?

Which brings me to another banana I have been holding . . .

Retirement.

It’s full of bananas — habits, routines, titles . . . being “in the loop.” Some of these bananas, I’ll have to release. That’s part of the deal. Letting go the work, the calendar, the inbox.  Letting go being the guy YOU call, when you’re not sure what just happened.

But I hope to keep some things going. Coaching Michael. GuitarZan Day (a tradition my friends Al Fullerton, Doug Goss, and Phil Schroeder maintain).

This blog.

And there’s one banana I hope I never let go: Awareness. That quiet, grounding sense of what’s happening around me — in the moment, in the system, in the Self.

Because awareness isn’t just what kept me useful in this field. It’s what will keep me safe in retirement. With awareness, I’ll notice the continued success and growth of the infotex team, the warning signs on a walk, and the metrics my doctors preach.

With awareness I’ll also see the beauty in a day, the grin on my grandson’s face, the subtext in a conversation, the curve in Stacey’s smile, and the gratitude in my voice.