Over the years, I’ve seen articles comparing cybersecurity to martial arts, so I’ve been reluctant to write one. I’ll be the first to admit, I'm no Jeremiah Grossman, black belt in Brazilian Jiu-Jitsu, but I have done martial arts on and off since I was in elementary school. Now that my son has begun that same journey and after observing his classes, I feel I can share some of the lessons that I carried forward from the dojo to my career in cybersecurity.
Most of what I studied was Aikido, which is purely defensive and reactive—there are no attacking moves. It’s all about redirecting or neutralizing an attacker, which is the same position most of us face in cybersecurity. I was also trained to deal with asymmetrical attacks: unarmed and armed opponents, singularly and in groups, sometimes in fixed attack patterns and other times random. This, too, is like cybersecurity. So where do I see the useful parallels?
Before you even show up to practice, you need to be prepared. What’s interesting is that my son’s school gave him two private lessons on the basics of etiquette, expectations, and basic techniques. More of this would come later in the full class, but I can see how this set him up to succeed the first time he stepped into the dojo. To practice marital arts you need to be prepared with the right equipment like pads, gloves, and a uniform, but the mental preparation is more important. Clarity of purpose and proper focus are musts. Most importantly, you must have respect for the work and your opponents. In martial arts, as in cybersecurity, your opponents can hurt you, but they are also your teachers. You need to appreciate when an attacker slips a block and pins you to the floor. In doing so, they’ve taught you something about your own capabiliites as well as theirs. Such is true in cybersecurity, though the trick is not letting the security incident be so devastating that it cripples you. Which leads to my next point.
Before You Punch, Learn to Take a Punch
A quarter or more of every martial arts class I’ve taken is spent in warmups. For me, that warmup included lots of practice learning to lose gracefully. We practiced landing safely from dangerous throws, falls, and spins. We learned how to safely handle grapples, joint locks, and blows. Sometimes we even had entire classes dedicated to practicing our falls and dodging strikes. As our sensei said, the first priority is to get out of the way. The second is to block. When that fails, you need to be able to get back up fast and be ready for the next strike. What better encapsulation of the concept of Assume Breach and resiliency is there?
There is a saying in martial arts: When you step beyond your own gate, you face a million enemies. The same is true in cybersecurity. One of the first lessons you learn is stance and positioning. You want to be balanced yet able to move quickly—and most importantly, away from danger. This is a concept called maai (pronounced ma-eye) which refers to the critical distance between you and your opponents. You have good maai is when an attacker needs to take a step forward in order to grab, punch, or kick you. In cybersecurity, we adopt the same principle with firewalls, intrusion detection, load monitoring, and threat intelligence. We need to keep an eye out for attackers and are ready to react when we see them move aggressively.
I also recall hours of practice just learning to hold a sword properly. The sensei would walk behind the line of us in position, pushing each on the back. Those who were off balance fell embarrassingly onto our faces while our master tut-tuted. A solid stance, whether with a weapon or in open hands, is something that takes both knowledge and practice. Just standing, unaware and off balance is an invitation to get yourself tossed onto the mats. The same is true in cybersecurity.
My sensei taught me the secret of how one gets a black belt. He told me everyone begins with a white belt and over the years, when your sweat has stained the belt enough, it will be black. “That is simply all it takes,” he added with a smile.
So we practice our katas, our technqiues, day after day until we don’t even have to think about them. Until we cannot possibly get them wrong because they are as ingrained in us as riding a bicycle or swimming. In cybersecurity, we have our defensive practices and controls and they, too, must be executed flawlessly, every time. When they aren’t, we will get kicked in the gut. When we introduce a new control, we need to make sure it’s learned properly and practiced relentlessly. Calamity springs from carelessness.
What good are techniques if they don’t work in the real world? Since martial artists aren’t in the habit of running around picking fights, what do we do? We spar with our fellow students and test out skills against each other. We perform our techniques in front of our sensei so they can judge the correctness of our forms. In this way, we gain rank and achievement. In cybersecurity, we have our own special sparring partners: our red teams and penetration testers. Like sparring partners, they are there to make sure we are bringing our best game to the table. They help us learn to take a punch and recognize where our technqiues are weak. And our auditors observe and evaluate how clean our techniques are. All are critical to our improvement.
In most dojos, part of the responsibility of becoming a blackbelt entails an obligation to become an instructor, as well. We have mentors and seek wisdom from them, and we become mentors to others to pass on what we have learned. This is just as vital in the cybersecurity world as it is in the dojo. Learn and teach, always.
Even when one has attained the highest status, there is always something to learn. My sensei warned me that there will always be someone better. We know that is true in cybersecurity, too. In fact, some martial arts schools claim that you do not truly begin learning until you have achieved your black belt. I feel that is so true for me in my cybersecurity career. Even after decades in the field, dozens of security roles, and many certifications, I feel I am only now ready to begin my education.