This post is fundamentally about humans and how they achieve goals. It is about defeating our tendencies when solving hard problems and pushing the boundaries of our performance. I call it the Universal Principle of Smoothness, but it is really about the fundamental aspects of any endeavor. It is a long post, so grab some coffee. What do the following things have in common:

  • Brazilian Jiu Jitsu
  • Mixed Martial Arts
  • Information Security

They all have a baseline set of fundamental principles that drive success, as defined by achieving specific outcomes. This post will dive into each and then tie it all together with some analogies for information security practitioners.

Brazilian Jiu Jitsu

Brazilian Jiu Jitsu (BJJ) is a grappling martial art that focuses on controlling an opponent’s body. Through controlling your opponent’s body you can put yourself into a dominant position that allows you to safely execute a joint lock or choking maneuver, with the end goal of incapacitating your opponent. In training, when you achieve such a move your opponent “taps out” indicating you have reached their threshold for a given move. Novice and experienced Jiu Jitsu practitioners alike will often fixate on the submission moves before first safely controlling their opponent. For more experienced practitioners this is often due to an intense battle that causes them to lose focus on the fundamentals. Novices just don’t know any better. The motto in BJJ is: “position over submission”. 

Everyone wants to win and get the submission. Maybe you can get lucky and focus on a more gimmicky submission where you didn’t quite have good position or control, but more often than not the player that focuses on the submission ends up losing whatever position they had earned and thus any possibility for a submission. However, when a player focuses on position the submission opportunities simply come into being, almost by magic. Dominant positions help the player create situations where their opponent has no good options. They must make a choice about how to react and this creates submission opportunities for the dominant player.

Lesson: Focus on your position and establishing dominance first, the goal (a submission) comes naturally from this fundamental approach.

Mixed Martial Arts

Mixed martial arts incorporate grappling. Everything written about BJJ in this article applies to the sport of Mixed Martial Arts (MMA). In MMA there is also striking, punching, kicking, elbows, and knees. In BJJ and MMA the penultimate goal is to find your opponents “off switch” and press it. In MMA you can choose submission or striking to achieve the goal, but we already talked about submissions. Knockouts are pretty simple. Rattle your opponents brain around in their skull or steal their equilibrium so they can no longer put up a defense. Listen to commentators or experts describe a fight. They can always see when a fighter is “loading up” on their strikes. Loading up means the fighter is putting all of their effort into a strike to achieve the penultimate goal of a knock-out. When they do this they rarely get the knock-out. The commentators will tell you that, in striking, you must focus on the fundamentals: foot positioning, movement patterns, and throwing a combination of punches. Throwing one big punch or kick, especially when done at maximum force, is easier for an opponent to read and react to. Throwing a combination puts your opponent on the defensive and puts you in position to land a “power shot” in the combination. Power shots are how you knock people out and win.

Lesson: Focus on fundamentals and the end result you want is easier to achieve and happens as a consequence of focusing on the fundamentals. 

Information Security

So what are the fundamental forces of Information Security? Books could be written about this, but the primary lesson for organizations looking to achieve the end goal of reducing their information security risk is that it can’t be forced. There isn’t even a very good way to know if you actually achieved the goal in many cases. In information security the best and most fundamental to focus on is a risk driven, opportunity cost optimized approach to every security activity. Once the particulars of your organizations risk is at least broadly understood it is possible to focus on the fundamentals. Entire books have been written about them. Each domain in information security has its own fundamental activities. We can turn to the tried and true: people, process, and technology triangle for a very broad starting point of domains. People need training. Processes need to be in place to ensure key security fundamentals happen and are gated in the right places. Technology must be implemented in a way that it actually moves the needle.  

In information security there is a two-fold problem in that many of these fundamental principles are not obvious to leadership. What are these magical fundamentals? Remember, it still takes many years of dedicated practice to be able to execute these fundamentals in any sport of endeavor. But it is important, when learning and executing, that there is always an eye on these fundamental forces. In information security a great example might be an organization that struggles with patching their systems in a timely manner, but they just rolled out a new and expensive perimeter defense system. To make it simple:

  • People: Train them. Have the right people. Use experts
  • Processes: Risk assessment and threat modeling. At the right times and fundamentally respected by the organization
  • Technology: Use judiciously to support people and process, not as an end goal

There is no easy answer. The fundamental principle of information security is “risk management”. That is how we achieve the goal of “security”. There is no rushing it. There is no magical product. There is no magical process. There is only risk management first. All things in applied information security should be applied because of a risk based decision making process. Without that understanding and fundamental approach we are not doing our best work as information security practitioners. Just like in BJJ, you can fixate on a submission and maybe you get it once in a while, but more often than not it is detrimental to the overall goal. Focus on the fundamental activities within your organization first.