Jiu Jitsu vs InfoSec: Leverage

Archimedes Lever

This is part of a series comparing Jiu Jitsu with InfoSec.

This concept is one I also think about when doing something as simple as home renovation work.

Brazilian Jiu Jitsu was created when a small, weaker boy with several tougher brothers was encouraged by his father to learn ways to basically fight off his brothers during typical rough housing and play. The goal was to apply force at specific locations to create maximum leverage to wrestle, grapple, or fight off a larger opponent. A BJJ white belt learning a new sweep may find a smile forms upon the realization of just how little force may be required to move a much heavier opponent.

In InfoSec, I see this parallel in a budget-strapped and scrappy InfoSec department (and all InfoSec programs have limited budgets — never infinite resources). Maybe the engineers don’t have the funding for the tools they want, but I’ve frequently seen engineers cleverly come up solutions on shoestring budgets. This is exactly the lesser stature brother holding his own against brothers with 50+ pounds on him. Maybe it’s a policy applied here, or a vulnerability program applied there, or even some automation in the SOC to reduce the noise for the analyst.

It’s all force, applied at specific points, to create maximal leverage for the defender. When the same amount of force is applied at the wrong place, the physics are wrong and the effort required is humongous.

Keep reading the next related parallel: Jiu Jitsu vs InfoSec: Conservation of Energy.