Almost Secure Blog

Information Security and Brazilian Jiu Jitsu

I've been training Brazilian Jiu Jitsu for about seven months. Every week I'm there at least 3 days a week, and if my body (and my schedule) allow I do more. It's one of the most effective Martial Arts out there, and probably one of VERY few where the claim of "the smaller person can defeat the bigger opponent" holds true.

I struggled to find a solid hobby after I started my infosec career. Nothing was as interesting as learning how things got hacked and how to prevent and defend it. I saw talks at DefCon and Black Hat and thought "What Dark Magic is This???". I felt similarly when I picked my first lock, but it wasn't until I sparred with a very nice blue belt who treated me like a human pizza. He rolled me out, tossed me up and down before placing me gingerly into the oven. He treated me like a child, and I was hooked. Why? Because if he can do that to me, that means I can learn to do it as well.

Training BJJ is one of the hardest things I've ever done. It will test you physically, but it also is a mental game. People call it human chess, and the analogy is very apt.

A high level of technical knowledge is needed to be successful, heart and muscle will only get you so far. You can't fake your way into writing a Metasploit module, just as you'll never be able to strap on a higher belt color and strutt into a gym like you own the place. Frauds are found out. Everyone starts at the bottom.

Each defeat is an opportunity to learn what went wrong and how you got there, and how to prevent it in the future. In our field there is no such thing as 100% success. It’s impossible to design a perfectly secure environment. In Brazilian Jiu Jitsu ‘tapping’ is a part of the game. If you get caught in something, by the end of the round you’ve learned how to (potentially) stop it. Now, you’re not going to stop a Black or Brown belt from choking the life out of you if she/he wants to, just like you can’t stop a three letter agency from turning your toaster into a rouge access point. The biggest lesson to take away is perseverance. Defeats are not losses, they are lessons. At the end of the day, when I'm dragging myself across the parking lot I am thinking about how to stop that choke. Learn from your mistakes, but don't let them eat you up.

There’s always someone better than you. Your journey is not the journey of your peers. We all have that friend who has every letter you could want behind their name (some would accuse me of being that friend). Certifications are a great tool to learn some new skills and get your foot in the door, but at the end of the day those pieces of paper don’t mean shit. You have to be able to back them up with knowledge, experience, and passion. I don’t show up to my gym with the delusion that I’m going to be able to do ANYTHING against the 24 year old marine who trains 3 times a day. I must go at this at my own pace in BJJ, but it's forced me to step back and take my time on my InfoSec journey as well.

Author image

About Jared Gore

Security and Operations fanboy. Loves automation, Linux, anddangerous obsession with the IoT. CISSP. Ask him about Ansible and Python
  • New Orleans, LA