Over the course of my career, it has become clear to me that Japan's national sport offers a perfect analogy for the current state of information security.
I will begin with a bit of background for those unfamiliar with Sumo. It dates back to the Tumulus period from AD 250 to AD 552 as part of Shinto rituals. Modern Sumo rituals were first seen in the 17th century and are very similar to what you would see at a sumo match today.
Sumo matches are steeped in Shinto symbolism, including intense purification rituals. The sand that covers the clay ring, the "dohyo", is a symbol of purity. The canopy above the dohyo is styled to look like a Shinto shrine. Other symbols include the tassels on the canopy, the purple bunting around the roof, even the referee's robes. A lot of what we call sumo is actually Shinto ritual very little of is concerned with wrestling or grappling.
Training is also very ritualistic. All wrestlers, called "rikishi", are ranked in classes. During training, the higher classes teach the lower through example, without a documented sequences of movements, or "kata". The lower classes learn through observation while waiting on and serving the higher classes. Sumo matches are extremely short and violent grappling bouts where a tremendous amount of energy is expended in an attempt to push one's opponent out of the ring.
Information security, as practiced by most of us, is like sumo in many ways.
It is a highly ritualised affair that ultimately provides little or no improvement to the security of an organisation.
I have yet to find a single paper or book that does a good job of describing how information security should be practiced or how it can be efficiently achieved. We know how to do infosecurity because we have paid our dues and learned it on the job by watching what the "masters" before us did.
And most tragically, when we get down to doing some serious information security work, we expend huge financial and human resources to defend against the bad guys. Unfortunately, this often has the unintentional outcome of irritating our colleagues and business partners, slowing down projects and not improving security much, if at all.
I cannot count the number of times I have heard myself or other information security practitioners complain about how hard it is to improve security. The customers do not want it or understand it. Management does not want to pay for it, and when we actually install something to improve security, the users bypass it. Nonetheless, we continue to spend time and money on the same old security projects and initiatives, while the organisations we represent receive very little improvement to their security posture. Albert Einstein once said, "The definition of insanity is doing the same thing over and over again and expecting different results."
I propose that there is a much better way to improve the overall security of our organisations, and unlike Sumo, it is efficient with a well-defined "kata" or doctrine. To continue the martial arts theme, effective and efficient information security is attainable with the application of Judo's philosophy of maximum efficiency for mutual welfare and benefit.
Judo, more precisely the Kodokan, was founded in 1882 by the late Kana as a derivative of Jujitsu. The mantra of Judo is to help your opponent into a position of instability while keeping yourself in a position of maximum stability and maintaining maximum efficiency throughout the match.
Information security Judo relies on the consistent and thoughtful application of some simple principles and a well-defined path to follow. First and foremost is the principle that effective, long-lasting information security improvement is accomplished by using efficient communication and demonstration of mutual benefit. This is the antithesis of Sumo, in which might makes right. Second is that effective information security requires endurance. Lastly, observe, consider, plan and act with the endgame in mind.
Information security Judo does not rely on word of mouth or on-the-job training to pass along how it is done. The following is a "kata" for effectively and efficiently securing any organisation using information security Judo.
The information security Judo kata
1. Know your organisation and align with it quickly
It is unwise to implement controls required in a government or financial setting at a university. Spend the time to understand the risk tolerance of your organisation and build information security commensurate with that tolerance.
2. Write a charter that states that everyone is responsible for protecting the organisation and get senior management to bless and support it
Do not underestimate the power of a one-page charter that enumerates your team's responsibilities and those of all staff. You will be surprised at how fast project managers and administrators get in step when they are ultimately responsible for the security breach caused by their choices.
3. Relationships are the most important thing
Information security Sumo fosters bad relationships that will kill an information security group, and it will guarantee poor co-operation during security events.
4. Communicate clearly, concisely and often
In science, an event did not happen if you did not write it down. In an organisation, the same is true if you do not tell people about it.
5. Spend 70% of your staff and budget on awareness and training for all staff
A custom training curriculum for administrators, general staff, managers and executives is cheap when compared with the benefit to the company. You can measure your effectiveness through social engineering tests such as fake phishing scams and vulnerability testing.
6. Train the organisation's IT staff in the ways of information security
If you and your team are gatekeepers on how to do things securely, you will never have enough people to do a good job and you will always be perceived as roadblocks. On the other hand, if you train the organisation, they will come to you demanding better security.
7. Delegate information security responsibilities to IT
A distributed governance model means that everyone involved owns a little bit of the responsibility for protecting your organisation.
8. Build an extended security team staffed with IT administrators and line managers
Have them review information security policies, procedures and tasty issues that impact them.
9. Maximize efficiency
Focus on initiatives where the amount of effort is small compared to the overall benefit to the company.
10. Work yourself and your team out of a job
If you master this kata, your organisation will become a true self-defending network. You can measure this by measuring how well your general staff answer two simple questions: what is a security threat and who should they contact if they notice one?
Mastering information security Judo requires a willingness to put aside the conventional wisdom on how to defend an organisation. Do not take my word as gospel, though. Consider the kata and then take a look at your day-to-day activities. Are you really improving the overall information security posture of your organisation, or are you living up to Einstein's definition of insanity?
That kind of evaluation is how I came to understand the terminal flaw in the Sumo approach. I was up late one night raging about an ongoing battle that my information security team was fighting with an IT group when I read a short article on incident response that struck a chord so pure that it shattered my preconceived ideas about information security. The writer simply stated that an incident handler would fail if the people in IT distrust, dislike or despise them. I could not argue. In fact, it remained true when applied to every aspect of information security. It became clear to me that information security Sumo invariably led me into the path of an oncoming freight train or the middle of a minefield. Well, I could not just put the cat back into the bag, so I began looking for an alternative. The kata of information security Judo was not the product of profound inspiration it has been assembled through trial and error with many false starts and much pain and anguish.
This article is not intended to be an exhaustive treatise on information security Judo, so I will spare you the lengthy list of comparative examples between Sumo and Judo. Instead, I will give you one example of how to address a common issue by following the kata of information security Judo.
How many times have you heard about, seen or been involved in a heated discussion between the information security team and customers in response to an outage caused by a vulnerability scan? I bet it went something like this: the administrator is beyond angry after spending six hours troubleshooting the problem while the customers screamed bloody murder and escalated the issue. Then, in the end, they discovered that the outage was caused by an unannounced network vulnerability scan. The match ends with the information security Sumo champion emiting a deafening shout:
"Consider yourself lucky that we found that serious vulnerability in your service. Imagine how bad it would have been if an evil hacker did what we did."
"If your service had been patched and configured properly, it would not have crashed when we scanned it."
Ending with the coup de grace:
"Now go away and do not bother me until you have fixed your application so it does not crash when we scan it."
I know this happens all the time because in chatting with friends, colleagues and associates in the industry, they too have heard, seen or participated in this drama. To be honest, I was once a true believer in the martial art of "Kiai" and its effectiveness in startling and demoralising my opponents.
Information security Judo applied to vulnerability testing:
Step 1: Stop the scanning
Step 2: Assemble an extended information security team
Step 3: Prove to the team that, though dangerous, there is value in knowing what is vulnerable
Step 4: Implement a vulnerability assessment tool that administrators can use on their systems
Step 5: Teach them how to use the tool effectively
Step 6: Collaborate with the team to write a policy on how to test, announce and conduct scans
Step 7: Have the team approve and sign the policy
Step 8: Have the team present, promote and gain approval for the policy with senior management
Step 9: Follow the policy
Though the Judo path does not eliminate the possibility of causing outages by scanning systems, it greatly reduces the negative impact on clients, administrators and management. It also gives the administrators some control over the security posture of their systems. This is information security Judo exemplified, and in my experience, it delivers tremendous success in the real world.
Special thanks to Todd Barnum for helping me find the path that led to information security Judo.
Ron Dilley leads an information security team at a Fortune 500 company