Judo or Sumo? What's the best martial art for Security

An amazing way to understand how security has to interact with is the Sumo vs. Judo dichotomy highlighted by Todd Barnum in his book, the Cybersecurity Manager's Guide.

Sumo: Pushing your way to "make things right"

We often think about security through one lens. Namely:

Security is right. Security is good. More security is better.

These fundamental truths underpins all discussions about information security. Of course... they are true in a vacuum but contextually false.

If you have that approach, you will focus on having a robust set of controls because... "they don't get security", "they don't want to include security requirements", "they bypass our controls"

We are in opposition mode, not in cooperation mode. We know better, they don't know, they don't understanding the gravity or the impact, we need to enforce controls.

In a Sumo approach, you win when you've pushed the other out of the ring, meaning it's a win-lose, meaning either you or "them" lost.

One time IT/Engineering wins, one time Security wins.

Judo: Using momentum and leverage to improve our posture

Your company probably has Security champions. You might often have coffee breaks (or Slack back-and-forth) with some people from IT or Engineering. Maybe

All of the controls already handled by IT, don't push back or say it's implemented the wrong way or it's not state-of-the-art. The important thing here is that if security is practiced one way or another, you have to use that momentum to go further, not create a plan to redo everything from scratch the right way.

Judo is all about relationship, you can only leverage what weight is pulled towards you. You need people to be comfortable talking, dealing and working with you. So... improving your security outcomes ends up once again with establishing strong relationships based on trust and understanding.

Each time Security/IT/Engineering wins, but differently than what you expected.

Why GRC have to grapple their way to Sumo outcomes

In GRC, you think you have a great entry-way because Compliance is Sumo.

You have compliance and regulatory requirements that have to be fulfilled. Meaning these are mandatory and critical for the business.

The issue is if you choose the Sumo way, your relationship and will not be sustainable. You'll (probably) have what you want once, but then you'll face massive challenges:

• Working reluctantly with you or don't work with you at all
• The relationship won't improve the security posture, only worsen politics
• You probably won't have the evidence you are looking for most of the time

What would be a Judo approach?

Be interested in how they do security. How the overall objectives of the compliance clauses are fulfilled by your engineering colleagues? Can we translate this properly to ISO/SOC requirements?

Talk with them, leverage what they are already doing, capitalise on their accomplishments.

Kind regards,