“The idea of intercepting is key to Jeet Kune Doo (JKD), whether it be the interception of your opponent’s technique or his intent.
The basic guiding principles are: simplicity, directness and freedom (the form of no form)
The techniques and philosophies of JKD can be applied to real combat as well as challenging life situations.
Jeet Kune Do consists of physical techniques and applied philosophies and requires the individual to train him or herself to their most cultivated state of being-ness so that when faced with a combat situation or a challenging personal situation, the tools needed are available in the moment and can be executed without thought.
Jeet Kune Do celebrates the cultivation and honest self expression of the individual over any organized style.”
INFORMATION Jeet Kune Doo (JDK) was founded by Bruce Lee who was both a great philosopher and martial artist. What made Bruce Lee's style, JDK, stand out from "traditional" martial arts and self-defense tactics was the "practical application" of the style. |
Source: www[.]brucelee[.]com
INGRESS
The beauty of JDK, as I see it, is the basic guiding principles: simplicity, directness and freedom (the form of no form). For me, it comes down to: applying the things that work in reality. It is less about the “black belt” or demonstrating certain movements. It is about doing what is needed when the situation appears.
From my point of view, this is very comparable to how security in many cases should be applied. How those things that are explained and expressed in theories, papers, standards, multiple choice exams, frameworks, whiteboards, blogs, and even on this website should be translated into things that work in reality. But it is not always that easy. Security is not always a 1 or 0, an absolute “yes” vs “no” question. But the strive needs to be towards an implementation that has carryover to the real world. It is in the real world that bad things happen. It is there those risks and threats exist.
In real life, security requirements at one organization will most definitively be a bit different compared to another. Similarities will be found but copy-pasting “security” from one place to another is not how things work. How security is implemented, between different organizations, might be based on the same principles and fundamentals. And this is also something that I strongly believe security is about. Intelligent basic principles and fundamentals. And these can be backed up with for example risk-informed decisions, threat intelligence, and so forth.
However, how these principles are implemented and applied, in practice and between organizations, might as I said differ. And this is how it should be. How one organization accomplishes protection and resilience compared to another is how the real world works.
Just due to that a certain standard, framework, best practice, or method says this or that does not mean that there are no other ways to accomplish the same result. For example, achieving compliance towards a standard, framework, or regulation does not equal, by default, things are secure. There are those who do not agree with me, and I am fine with that. I am not here to say that compliance does not have anything to do with security.
I do believe that security is what an organization should aim for, to make sure they are protecting their assets and that the organization is resilient.
And I believe that if an organization focuses on making things secure, compliance will and should follow. Compliance is a part of the security universe but I will leave the “Compliance vs Security stuff ” for another article.
To accomplish a secure environment, the things we have learned from theories, standards, frameworks, regulations, multiple choice exams, contemplations, and reflections need to be made practical. The power from these things needs to be applied and made real. The effects of security to improve an organization’s security posture and cyber resilience will not be switched on if they are not practiced or applied in reality. I think you might have a feeling of what this article is about. End of ingress.
IN REALITY
I have, like most people, some preferable preferences for how certain things and tasks shall be conducted. And certain ways that I fall back on or propagate for more than others. In many cases, this is boiled down to my empirical knowledge and experience. So what does that mean? It means I have approached a situation several times and achieved a positive result with the help of the methods I prefer to use. These can be seen as a sort of my personal professional baseline from where things potentially can start.
But I am a believer in not sticking or holding on to old habits. This means that If I find other better ways or methods, in that case, I try them out and evaluate the results. I may change my baseline, i.e. learn as I mature in my profession. And just because one thing that worked at organizations 1, 2, 3, and 4 may not work as good at organizations 5, 6, 7. Here an open-minded attitude comes into play. Are there others or better ways? Or can there be a mixed solution that could work out?
At the same time, I am a dude who likes science. A strong believer in evidence-based methods. System thinking. Measurable results. Gain an understanding of what is the most proven way to do things backed up by studies and research. But in many situations and because of the fast-paced change cycles in the security landscape science and research is not always applicable. For this reason, I think a pragmatic approach is so important. What a theory says might not be applicable in reality all the time.
Use the current information, history, knowledge, and wisdom available but be open and humble for testing new ways of thinking. Doing everything and always doing it the same way will most likely lead you to the same results. In many cases, this is what we want. This is for example a very good way when conducting operational tasks within the security realm.
A standard operating procedure is there to be used in the same way, no deviation is needed there. But what if you are confronted with a totally new situation, a risk generated by an emerging technology for example. This is a scenario where something like history is less applicable I would say.
How can a simulation or forecast of the future be done when there are no data or metrics available when we do not have access to the time machine? For this scenario (around forecasting the future) check this article out: EMERGING RISKS & HOW TO FORECAST THE FUTURE. Some principles found within the article may be helpful. Use them in a way that makes sense for you and your organization.
“Research your own experience.
Bruce Lee
Absorb what is useful.
Reject what is useless.
Add what is essentially your own. “
Every situation is not a straightforward process where a given order is certain or absolute. Projects, for example, may in some cases become hyper-dynamic. Unpredicted stuff pops up despite those risk assessments that were conducted. In these cases, it is always nice to fall back on those well-tested procedures and knowledge from the litterateurs and theories. But what if the solution to the existing situation is not there in those textbooks or in alignment with that procedure from that well-tested methodology?
What if the solution to the situation is a mix of disciplines, methods, processes, and things from several different standards, frameworks, and guides? If that is the case, the short answer is to mix that cocktail of those things necessary to accomplish the desired result…or this is at least how I do and have done several times.
You pick something applicable from for example TOGAF, ideas from ITIL, and guiding from COBIT. Mix them in the shaker and *tada* there we have it. The solution. Things may not be that easy though. But what I try to (joke around and) explain is that one should not try to punch that green triangle into that yellow squared hole.
Everything can not and should not be solved with one framework, technology, standard, system, application etcetera. I like Excel, really love it. But I would not try to write an executive report with it. I love Kali Linux for offensive security stuff but I would not use it as my preferred tool or platform in my day-to-day work.
It is common to see that organizations try to “fix” security this way. For example applying NIST CFS, CIS CSC, ISO 27001 to everything security-related. I have been faced with “We are ISO 27001 compliant and do things this way here!” more than once. Nothing wrong with ISO 27001, I like the standards. But, when I instead suggested solving a situation with the help of a mix of things from ITIL and NITS CFS it didn’t fly that well.
I respected the situation(s) and provided my point of view. They wanted to go one way and try to jam that green thing into a hole that was not designed for it to fit in. At the end of the journey they stubbornly gave up…and chose to NOT(???) solve the issue (which surprised me a LOT) because of that it was not aligned with the standard. [They had a very strange way of ISO 27001, to be honest.]
Anyway, it was not the end of the world for that customer but it just got my head spinning. Why choose to not do something about an obvious issue when there are solutions better suited?
Why not fix that broken window on the garage door instead of just ignoring the obvious issue and putting loads of ego in front of that poor garage door? Well, this will not be the last time I faced this kind of situation I guess. They tend to turn up here and there.
“We have always done it this way here!”
Grace Hopper (1906 – 1992)
An American computer scientist & United States Navy rear admiral
I agree with Grace Hopper, this is one of the most dangerous statements up there at the top of the high-score language leaderboard. If this becomes an unwritten guiding principle or a part of the culture within an organization there is some crazy sh*t going on. There is very little in that sentence that will guide an organization’s future preparedness in the right direction.
Every organization does not need to be on the frontline though or to be innovative. But keep in mind, that the digital ecosystem is hyper-competitive. It does not favor those doing things ad-hoc as a standard way of working or holding on to the same way of doing things over and over.
Think about this one as well. If your competitors start to gain a competitive edge by doing things in a new way, and that shows up to be a winning way of doing things it might be a good idea to contemplate if that way of doing things or similar ways can be applied to your own organization as well.
Those who did not jump on the digital transformation train pre-COVID had a pretty nasty start when the virus went apeshit on planet Earth. This is not the last time this will happen when a virus or some similar situation, in terms of a crisis, puts us, our organizations, and our societies in a spot where there will be an increased need to speed up the digital transformation.
I hope that this lesson and exercise is not something that becomes forgotten. This situation was a great exercise for many organizations to gather loads of knowledge in terms of how resilient they are in crisis situations like these. Have you and your organization done your lessons learned and recorded the knowledge from this situation?
In real-life feedback around the above subject:
“We have not had the time for that stuff!”
“Oh, that sounds like a good idea Henrik but we are almost back to normal now.”
“Good idea. I will park this idea for a later time!”
These are three comments I have received during dialogues around how the situation related to lessons learned was handled. Not the best way to approach things like this in my opinion.
The knowledge gained in a crisis situation is not something that can be paused and parked. “OK boys and girls, put that knowledge on pause now for 2-3 months until this messy thing is over!”. Nope, ain’t working like that and never will. We as humans, in general, tend to forget things pretty quickly. And we are not that much into thinking about negative things for longer periods, like a pandemic. The next time a situation like this takes place you want to have that knowledge accessible. Rely on tested stuff and not do things just by swinging in the dark. And it is a bad idea, to start thinking through and trying to figure things out in a highly stressful situation.
Do not let yourself get locked in only into one perspective, framework, process, knowledge, or technical solution. Do not try to use that wrench when a hammer is better suited. Maybe you need to use both? A hammer and a wrench but not exactly at the same time? And then you realize that a screwdriver and a cold beer are needed. If this is the case for me, it’s an easy choice. I would get that screwdriver and most likely grab an extra beer with me.
And security is not different when it comes to reality. There are many good theories, standards, frameworks, practices, multiple choice exams, books, philosophies, technologies, and knowledge out there. But all these things will not work for each and every organization in the same way.
Security is not only about abstract models, multiple-choice questions, and theories existing in textbooks and PowerPoint. Security needs to exist in reality, it is in reality the risks and threats exist.
And this is the reality. In the real world, there are those things the textbooks or PowerPoints do not calculate for. For example organizational maturity, cultural diversity, leadership skills, ethics, politics, and bureaucracy. A theory, for example, is not developed with all these known unknowns in mind. And it is impossible to do so. And risks and threats do exist in the reality. Bad things, intentional and unintentional, happen in the real world as a result of for example risks and threats.
EPILOGUE
An organization exists to create value. And Security in an organization is a supporting function. And those who exist in an organization that creates value, and that security is supporting, are (mostly) humans.
If security in an organization is not providing support, things need to be done differently. A different way can mean changing those things that do not work to something else that is working for the organization.
You, as a security professional, are there to support your organization. Security [*drumroll*], is mainly about humans.
Henrik Parkkinen
Henrik Parkkinen 