Jiu Jitsu vs InfoSec

Last year’s BJJ Smackdown at BlackHat USA logo

That’s right. Who will win? InfoSec or Jiu Jitsu? Gorilla vs Polar Bear?

Believe it or not, there’s a growing intersection between BJJ practitioners and InfoSec pros. At first that may seem odd, with the typecast InfoSec computer nerd image in your mind, but it turns out there are a ton of parallels between the Brazilian martial art and keeping hackers out of computers. So much so that I thought a little mini-series of comparisons might be worth writing up. So here goes…

I’ve been involved in computer security since the early 2000s, but only first experienced Jiu Jitsu one year ago at BlackHat USA, thanks to an open invite from Jeremiah Grossman’s annual BJJ Smackdown event. If you know anything about Jeremiah, you know he’s both a security expert and a BJJ black belt — and every year he’s getting more InfoSec pros like me into the BJJ game. There are others like him in our field as well.

I, on the other hand, am a BJJ novice, a white belt, and a dry sponge, but every time I learn about a new BJJ principle, I immediately think of its applications to InfoSec.

First off, InfoSec is a conflict. A struggle. Even a fight. When I first started learning about InfoSec nearly two decades ago now, I naively thought perfect security was possible and that it was just a matter of getting some complicated recipe correct. Now, especially as I focus on modeling attackers in my day job, I recognize computer security as a struggle between attacker and defender, which essentially all martial arts represent. Obvious parallel? Maybe. But it was my first parallel between InfoSec and BJJ.

Stay tuned for more short parallels between InfoSec and Jiu Jitsu.

Keep reading: Jiu Jitsu vs InfoSec: Chess