A student and a jiu jitsu instructor are engaged in practice. Today’s lesson is the Kuzushi Principle. Its premise is to break an opponent’s balance in your favour. This is considered the most important component in order to succeed, especially in takedowns and sweeps. The technique also provides valuable augmentations to various aspects of engagement including submissions and escapes.
Generated by Dall-E
The instructor presents as a larger opponent to the student. It is, therefore, imperative that the student understands how to not only unbalance the instructor, but that they destroy any opportunity for their opponent to regain stability and the ability to go on the offense. This is a balancing act. One needs to understand the relationship between an opponent’s center of gravity and their base points. (1)
Based on Rener Gracie’s book, The 32 Principles of Ju-Jitsu, this is literally seek first to understand, then to be understood. When I read the statement and the table of contents, I had a light bulb moment.
In cyber-security, this is like security 101. Understand your stakeholders, customers, and dependencies before enforcing cybersecurity measures.
Generated by Dall-E
You can't go into your client’s space and just demand or expect them to understand you because they are not. They're not going to care that you have this order coming out. They're not going to care that you need log data. They're not going to care that you have a regulation that you have to meet or that they need to implement X, Y, Z by a specific time sensitive date.
So, one thing that I find helpful in situations like this when I'm trying to work with different business units to drive security initiatives is understanding what their workload is right now. What challenges are they currently struggling with? Take time to fully understand them as a team, as a resource, and learn where you could potentially offload some of this work to make their life better. Execution becomes a lot quicker.
A word of caution. This can and does backfire sometimes. For instance, I've seen multiple occasions, where that stream of work is now, quote unquote, the responsibility of you and your team, even though you don't own any of the processes or standards or their information. To combat this, exit strategies become very important. Have a plan for when and how you and your team will step back and have your client take the reins.
What does this look like in reality?
Over the last few years, universities and educational institutions have seen a massive increase in cyber incidents of “114% between 2020 and 2022, and the sector experienced the highest volume of attacks in any industry every month in 2021 and 2022.”(2)
Generated by Dall-E
Without understanding the factors impacting universities’ cyber security, going in and demanding that they update, make changes, implement measures, get new technology, etc., will make them balk at it.
Keep in mind that educational institutions may not have the personnel to implement such massive changes.
For instance, awareness of the unique mission and drive that universities and colleges have to be collaborative and have free flow of ideas, diversity in backgrounds of students, professors and staff, as well as accessibility of Wi-Fi across all sectors of their campuses and increased access from outside of physical campus buildings, helps a cyber security expert to see the security risks.
Cyber security measures are not as strongly imposed as other business either. To add to the above complexities is the data-rich environment that these institutions are and are not intuitively places general population thought of as vulnerable and needing to shore up security until recently.
Even institutions themselves didn’t see a need to invest in more stringent cyber security resiliency – in some ways, it was seen as an obstacle for some of it’s goals that include accessibility and free flow of information.
In an article in Infosecurity Magazine, Deryck Mitchelson, field CISO at Check Point, recommended solutions that still work with educational institution goals and mission - “By choosing to adopt a prevent-first approach and by integrating best practices such as network segmentation, multi-factor authentication and endpoint security, academic institutions can begin to fight back against malicious cyber-criminals,” he concluded. (3)
It all begins with understanding your client’s environment.
Because many educational institutions have been around for decades, going in to inventory security also presents a lot of unknowns.
Generated by Dall-E
So, when you look at the Kuzushi Principle in the cyber realm, it really works when it comes to that collaboration piece, when you understand what is going on in your client’s space.
Once you see things from their perspective, you can help them see things from the cyber resiliency side of things. Helping to take a bit of the load from them at the beginning, by providing staff support, training, etc., will also go a long way. Remember, collaboration should not get to the point where you're going to send all your resources to them when it has nothing to do with what you're trying to accomplish.
Grasping the practical and how to explain the practical to others, made a huge difference in the way I train and the way that I've learned jujitsu. This has also carried over in how I work with different business units in building cyber resiliency.
Comments