I have always been interested in self-defense, whether cyber or physical, and the martial arts. My athletic endeavors early in life included fencing throughout high school and college. Later on I committed myself to studying Kung Fu. While this may not have been the best business choice (it’s much easier to discuss a contract over the fifth hole of a golf game than while you are trying to kick someone in the head), I quickly learned that there are many key lessons in Kung Fu that apply heavily to cybersecurity.
Flash back to my first Kung Fu lesson in 1998: My instructor began by putting me through a series of blocks, throwing punches one after the other. I continued to block them, all the while growing more exhausted from being out of shape, and feeling my form get sloppy from lack of experience. After several minutes, we finally stopped practice so I could catch my breath. My instructor looked at me dubiously, probably wondering if I would ever come back for another lesson, and began to explain the philosophy behind an attack.
“…you can dodge the attack, stay out of range of the attack, or you can avoid the fight in the first place.”
He soon admitted that, while learning to block hits is important, the ideal way to combat an attack is to not be there in the first place. This banter seemed far too philosophical for something so physical, but after a few more lessons I realized the value of this concept. As I shared in a recent article for SecurityWeek, “In place of blocking, there are three ways to ‘not be there’ when the strike arrives: you can dodge the attack, stay out of range of the attack, or you can avoid the fight in the first place.”
In a recent webinar, I discussed my journey of discovering the lesson that avoiding a fight in the first place is also the right choice when it comes to cybersecurity. One reason is that blocking attacks has several drawbacks. If you miss, you get hit; and even if you block it, you can still get hurt from the attack anyway if your opponent is strong enough. The second possibility was literally brought home to me when my father broke his arm trying to block my mother’s roundhouse kick. If Kung Fu were a game of rock-paper-scissors, shin bone beats arm bone. And if Kung Fu lessons were a set of cybersecurity practices, avoiding an attack beats trying to block every one.