Jiujitsu and Cybersecurity - It is all about Risk Management

Many of you know I have practiced some form of martial arts for a significant amount of my adulthood. Approximately 18 months ago I started practicing Jiujitsu and I wish this had been the majority of my martial arts journey. Some may wonder why and the simple answer is Jiujitsu resonates with my cybersecurity career in that Jiujitsu is also all about risk management.

Up until recently when people asked me what I enjoyed most about cybersecurity I would give the answer that cybersecurity was very much like Star Trek’s Kobayashi Maru - the unwinnable scenario. Yet, I have come to realize that isn’t really a fair statement. Cybersecurity has a lot in common with Jiujitsu. The most common aspect between cybersecurity and Jiujitsu is the controls we put in place to minimize the impact our adversary can deploy.

I asked Professor Kroyler Gracie (@kroylergraciejj) how to deploy risk management strategies in Jiujitsu while thinking about the cybersecurity practitioner. Here is what Kroyler had to say about risk management when implementing it within the art of Jiujitsu:

In a grappling or fighting situation it's essential that a control mechanism be implemented. Usually the best way to start building a control mechanism or a control system, is to force your opponent to behave predictably. This can be achieved by initiating an attack that will force your opponent to behave in a specific manner, and thus that behavior (which is predictable) can be punished. The punishment can be a further method of control that makes your opponent even more predictable by further restricting their choices.

Once they (adversary) are predictable, and are operating with limited choices, it's pretty much guaranteed that your control system is now fully implemented and that you are destined to win. Conversely the same can be done should they initiate the first move. Then it is imperative that our defense be solid, and that we launch an immediate counter attack forcing that predictable/expected behavior from our opponent. Counter attacks do not have to be offensive in nature, they can simply be regaining any lost ground in defense.

Now, let’s replace grappling or fighting with cybersecurity from Kroyler’s words above; at least in a paraphrase sort of way. With cybersecurity it is essential that controls be implemented. Usually the best way to start is by picking a framework (NIST, ISO, COBIT, etc...). The framework has a set of predetermined controls, that when implemented, help the cybersecurity practitioner predict how user, systems, and bad actors will act.

The next paragraph gets a little tricky when applying to cybersecurity, at least at first glance, but it really isn’t. Users, systems, and bad actors are predictable when our risk management framework has been, at least in part, implemented. You might be thinking that bad actors aren’t predictable, but they are. Bad actors are looking for vulnerabilities in our systems and in our behavior. They will find a weakness, and, when able they attempt to exploit it.

The exploitation occurs when one of our controls has been weakened or completely fails. Very rarely will all controls fail simultaneously; therefore, if our risk management framework is solid (defensive system) then we can quickly close the threat window that the bad actor seeks to exploit. Kroyler’s grandfather, Helio Gracie, has been famously quoted as saying “If you do not lose, you can only win”. For myself, and my team, I have changed the definition of winning in cybersecurity. The win is now how quickly do we (in no particular order): 1. Identify the control weakness/failure; 2. Isolate/Contain the bad actor; 3. Close the threat window; 4. Remediate the control weakness/failure; and, 5. Evolve our risk posture to meet the business requirements.

I encourage everyone, but especially those in cybersecurity, to pick up the art of Jiujitsu. You will quickly learn the impact of not implementing a solid risk management framework. I hope to write more on the correlation of Jiujitsu and cybersecurity in the near future. Stay Tuned and keep rolling!