Wednesday, December 26, 2012

Maintain the Combat Stance

Miyamoto Musashi was a great Samurai - born in 1584, he lived in the prime age of the Samurai warrior class.  Musashi was a ronin, a master-less warrior, who wandered the country, trained, fought other warriors and was undefeated in over 60 duels.  

In his old age, Musashi retired to the hills as some Samurai were known to do, and composed poetry and other works of literature and art.  Musashi had mastered the art of combat - he composed a book called "The Book of Five Rings" - it is a treatise on combat.  The book is widely admired today in both martial arts circles and in business, as a way to know your enemy and improve your own tactics and strategy in war.

In this book, Musashi writes "The Way is in training. Become acquainted with every art." - This wise advice applies directly to our mission in Information Security.  We are faced with the constant threat of attack, just as Musashi was while walking the Japanese countryside.  Musashi advises us to know our enemy - know his skill.  Understand the threats.  

When I was studying for my CISSP, I had to either learn or become reacquainted with ten domains of information security.  Even though I may not use it on a daily basis, the CISSP exam would test me on my knowledge and understanding of all areas - I didn't need to be an expert but I needed to be acquainted with every art.  

Musashi lived a life of constant training - working to improve his physical skill and mental preparedness.  He learned to assess the opponent's skill and capabilities - in security we also must learn about the risks.  We scan for any vulnerabilities, we strive to understand the threats which might exploit those vulnerabilities, and we look for ways to plug those holes, remediate those risks - like Musashi we constantly try to improve, training and educating ourselves to the potential dangers to our data and learning to battle the attackers.

We must seek to constantly improve our skills and our defenses - tighten up our security while also increasing our ability to be alerted for anything which might be out of the ordinary. We never know how small of a clue we will get, if any at all, that an attack is coming.  We must learn the tools and tricks of our opponents so that we may understand what we need to defend against.  And we must use strategy to drive our stance - as Musashi also writes - "In all forms of strategy, it is necessary to maintain the combat stance in everyday life and to make your everyday stance your combat stance. You must research this well."

Musashi's words are very appropriate for us - how do we maintain the combat stance in our networks?  And what does he mean by - make your everyday stance your combat stance?  If we understand the threats and prepare our defenses well, we maintain a combat stance, ready to repel any attackers or be notified of a battle underway.  We must have our plan in place and ready to go - our security operations should be buzzing and our incident response program will be standing by.

Just don't go running out of your office with a headband, a samurai sword, yelling "BANZAI"!!!  HR would probably frown on that.

No comments: