Jiu Jitsu vs InfoSec: Win or Learn

This is part of a series comparing Jiu Jitsu with InfoSec.

A phrase often heard in Gracie Jiu Jitsu schools when discussing sparring or competitions is: “you win or you learn.” In other words, there is no losing. You only lose if your opponent beats you and you didn’t pay attention to learn how you can do better next time.

In InfoSec, especially with Red Teaming, where our goal is to model attacks breaking into a business’s environment, this phrase rings true. The Red Team (simulated attacker) “wins” by achieving its objective, or the red team learns how to do better next time when the Blue Team (defender) detects and contains the Red Team’s attack. Vice versa, the Blue Team wins by thwarting the Red Team, or it learns by becoming aware of weaknesses in its defensive posture.

In Jiu Jitsu, you may one day come up against an opponent who has a new guard pass (attack) that you’ve never seen, and as a result, your opponent may submit you. You can then learn from that experience, and drill ways to counter the guard pass to be ready for it the next time, i.e. you can learn.

Another related and often heard phrase in BJJ is “Tap early, tap often.” A “tap” refers to a pat of your hand against the mat or your opponent to signify you submit to your opponent’s attack, whether it’s a joint lock, choke, or just an uncomfortable amount of pressure/positioning. Red Teaming a computer network is similar — if Blue can “tap out” to reset the sparring session as soon as possible, more repetitions can occur, which brings more opportunities to learn and drill various defenses.

Obviously, when the attacker is real and the target organization is breached, there are real, tangible losses, but even in that moment of gravity-laden reality, there is still an opportunity to learn. InfoSec practitioners often study the breaches of other organizations for this very reason, and rightfully so.

Keep reading: Jiu Jitsu vs InfoSec: Leverage.