Skip to main content
Lora Vaughn
Hero image for Feats of Endurance and Stupidity: What Running in Circles Teaches Us About Cybersecurity

Feats of Endurance and Stupidity: What Running in Circles Teaches Us About Cybersecurity


cybersecurity leadership incident-response resilience

My husband is currently running something called The Endless Mile this weekend. He’s doing the 72-hour option. Which sounds insane until you learn he once did a 144-hour race and completed 500k (311 miles). Suddenly 72 hours seems almost… reasonable?

This is the thought process of someone who has broken their brain with endurance events.

For those unfamiliar with this particular brand of madness, you pick your timeframe (6, 12, 24, 48, or 72 hours) and run as many laps as humanly possible around a 1.00203-mile loop. That’s it. Just keep running in circles until time’s up. People travel to our little corner of Alabama from all over the country. To walk around in circles. For days.

The prize if you complete 100 miles? A belt buckle.

I joke that this event is feats of endurance and stupidity in equal measure.

And sometimes that’s exactly what cybersecurity feels like.

Always Moving, Never Done

We’re always running. Sometimes it feels like circles.

Patch Tuesday becomes Patch Every Day. We close one vulnerability, three more appear. We train users on phishing, attackers get better at phishing. We implement a control, someone finds a workaround.

The clock is always running. The work is never finished.

And we might be crazy. At least that’s what people tell me when they say they wouldn’t want my job.

You’re Racing the Clock, Not the Competition

Here’s what makes the Endless Mile different from a typical race. You’re not trying to beat other runners. You’re trying to beat time itself. How much can you accomplish before the clock runs out?

Sound familiar?

That’s every sprint planning meeting. Every board presentation. Every audit cycle. Every quarter when executives ask what we’ve accomplished with the security budget.

We’re not competing with other companies’ security programs. We’re racing our own clock. How much risk can we reduce before the next incident? How mature can we get the program before the acquisition? How ready can we be before the audit?

The competition is time, and time always wins eventually. The question is: how much can you get done before it does?

Training for Deteriorating Conditions

Watching my husband prep for this event, I noticed something. He’s not training to run one perfect mile. He’s training to keep moving when everything hurts and every instinct says to stop.

How do you maintain pace in hour 28 or 48? What’s your fueling strategy when you’re nauseated? How do you keep your form when you’re exhausted?

That’s incident response. That’s managing a security program during hypergrowth. That’s being a CISO when everything’s on fire and the board wants answers.

You’re not optimizing for peak performance on fresh legs. You’re optimizing for grinding out miles when conditions suck.

The Mental Game

The Endless Mile isn’t really about physical fitness. Sure, you need baseline conditioning. But the real challenge is mental.

Can you keep going when it would be easier to stop? Can you make good decisions when you’re exhausted? Can you stick to your strategy when every instinct says to change it?

Security is the same mental game.

Do we panic and implement knee-jerk controls after an incident, or do we stick to our risk framework?

Do we abandon our architecture when executives want faster results, or do we hold the line on what actually works?

Do we keep going when budget gets cut, the team is understaffed, and nobody seems to understand why security matters?

The technical skills get you in the game. The mental game determines if you last.

The Discipline of Repetition

Here’s what most people don’t understand about the Endless Mile: it’s not one long run. It’s dozens of individual miles, each one a separate decision to keep going for one more lap instead of stopping at your tent.

Security programs work the same way. It’s not one heroic effort. It’s showing up every day and doing the work:

Review the alerts. Again. Update the documentation. Again. Explain risk to executives. Again. Train users on the same threats. Again. Test the IR plan. Again.

The discipline isn’t in doing it once. It’s in doing it consistently when nobody’s watching and nothing’s on fire.

When Endurance Meets Strategy

My husband isn’t just running until he drops. He has a strategy: pacing, nutrition, rest intervals, mental checkpoints.

Good security programs have strategy too. You can’t just grind harder. You need:

Sustainable pace: You can’t run every initiative at maximum urgency. Some things can wait. Not everything is a crisis. I’ll say it again for anyone who may have missed it:

When everything is critical, NOTHING is critical.

Recovery intervals: Build slack into the system. Your team needs time to think, plan, and breathe between incidents.

Mental checkpoints: Regular retrospectives. What’s working? What’s not? Are we still running toward something meaningful or just running?

Know when to stop: Sometimes the right move is to stop doing something that isn’t working. Not every mile needs to be run.

The Visible Progress Paradox

Here’s the thing about running in circles for 72 hours: your progress is extremely visible. Every lap gets recorded. You can see exactly how many miles you’ve covered. Your pace per lap. Your total distance.

Security is the opposite. Most of our work is invisible.

How do you measure “prevented incidents”? How do you quantify “the attack that didn’t happen because we had the right controls”? How do you show the board that those 1,000 hours of work resulted in… nothing bad happening?

We’re running laps every day, but nobody sees the miles. They only notice when we stop running and something breaks.

Maybe that’s why I respect the Endless Mile. The work is visible. The results are undeniable. When time’s up, your distance speaks for itself.

In security, we keep running laps most people never see. But we know. We know how many miles we’ve covered. How many incidents we prevented. How much better the program is than when we started.

And sometimes, that has to be enough.

The People Who Think We’re Crazy

They’re probably right.

Nobody gets into cybersecurity for the predictable 9-to-5. Nobody signs up for the Endless Mile expecting it to be comfortable.

We do it because we’re wired for this specific kind of challenge. The kind that requires endurance, discipline, and a slightly concerning willingness to keep going when rational people would quit.

So yeah, it’s feats of endurance and stupidity.

But mostly endurance.

And if you’re going to be in cybersecurity long-term, you better learn to love the loop. Because the clock never stops. The threats never stop. The work never stops.

The question is: how many miles can you cover before time runs out?

Currently available for CISO and Head of Security roles (full-time or fractional). If your organization needs someone who understands that security is a race against time and knows how to pace for the long haul, let’s connect on LinkedIn.

Good luck to everyone running the Endless Mile this weekend. May your legs hold up, your strategy work, and your stubbornness exceed your common sense.

Lora Vaughn - Cybersecurity speaker and executive headshot