Is your preferred IT Security weapon a Sword or an Oar?

Young samurai women with Japanese sword(Katana) at sunset on the

New CIO IT Security Fighting Tactics, Leadership and Philosophy

I have always been endlessly fascinated with Samurai, Ninja, and Martial arts. In my teens I studied Karate and then later in my 30’s picked up Tae Kwon Do for 4 years and achieved a black belt.

I couldn’t help but see the parallel between IT security leadership and Samurai in this story.

The Ronin were outcast Samurai who had no clan or master per-se, but hired themselves out to protect whoever wanted protecting.

One such Ronin was perhaps the most famous Samurai of all: Miyamoto Musashi. He is known in Japan today as the Sword Saint because he studied the art of Kendo – which means the Way of the Sword – under an uncle.

“The master of Kendo aimed to become one with his sword – until there was no sword, no anger, no fear. A master would move without thought, treating his enemy as an honored guest, even as he cut him down.” The Ways of the Samurai

Think of this for a moment. Treat your enemy as an honored guest…..

I pause for a moment to bring to light what I think of in today’s world as our enemy. This enemy has forced PCI to change from “Compliance based IT Security” to “Actual and Real IT Security”. Compliance based IT Security leaves gaps for our adversaries to exploit in between compliance visits.

What is the new strategy that can be used to fill these gaps? Clearly tools and techniques and processes have not been mastered yet with the high state of breaches being experience by even the most experienced IT Security professionals. I would also like to state that this is not easy. Although I would like to say that moving forward running around trying to fill a 3-ring binder for the auditor is harder than just investing in the areas we need to be so that there are no gaps.

How Important was a Samurai’s Sword?

First let’s look at how a Samurai revered his sword, “to a proud samurai, no possession was more precious than his sword. A sword was brought to the birthing chamber when he was born and placed by his deathbed when he died……A samurai sword was made of iron and steel and forged and tempered with mixtures of water and oil….the cutting edge of a samurai sword was very hard and extremely sharp.” The Ways of a Samurai . location 221 Kindle

So what happened to the Ronin Samurai, Miyamoto Musashi from the beginning of this article?

In this story Miyamoto rose to stardom on this one duel with Sasaki Kojoro. Kojiro was a young samurai who had developed a new sword technique based on the movements of a swallow’s tail in flight. The contest was to be held at 8AM in the morning on a deserted island. Miyamoto was late arriving. He also decided not to bring a sword, but instead carved a wooden sword from an extra oar on the boat. <yikes>

When he arrived finally at the island, Kojiro was waiting formally and elegantly dressed. Musashi was disheveled and unkempt. Kojiro drew his long sword as Musashi approached him. Musashi said, “ You’ll no longer be needing that”, Kojiro angered sliced his sword towards Musashi…..At the same moment Mushashi moved his oar upward, blocking the cut, then brought his oar down on Kojiro’s head. The young Samurai pitched over dead. Musashi stepped back, bowed politely to the astonished officials and left in his boat. After the duel with Kojiro Musashi gave up using real swords in duels. His skill was so great he was already a legend in his own time. “The Ways of the Samurai 570 Kindle

A New Sword for the CIO that Cuts Through Complexity is Needed

I think that CIOs now need new tools and techniques that may seem not as fearsome as a sharp sword but they cut through the complexity of communicating the complexity of IT Security when evaluating risk and developing plans for buying tools needed for “Real Security” versus “compliance efforts”.

Here is what a CIO IT Security Scoreboard should look like below. A tool that flushes out the reality of your current state IT Security versus Compliance based Security. A tool that measures IT Security ‘reality’ across 49 different IT Security areas.

Security Scoreboard

Is this an Oar or a Sword?

I have seen such positive momentum built with visual tools in IT Security yet I would call it an ‘oar’ strategy and not the ‘sharpest sword’ approach. I am not against great IT Sec tools (swords). I love them. They are necessary. However someone has to govern and be in charge of strategy (my ‘oar’ philosophy). No CIO friend of mine is saying, “look, I have a bunch of money to spend who has the best IT Security tool out there?” This conversation isn’t happening. What is happening is that the CFO and CEO and the Board all want to know what is going on.

Visualizing IT Security Strategy will Win!

All CIOs and CBIOs (Chief Business Information Officers) need to visualize for the business leaders on one page by distilling complexity in order to 1) Give accurate information 2) Show Risk 3) Show a plan. This lessens fear and gets non-IT Executives out of their ‘fear’ brain (more on this in later posts) and into adult oriented planning.

Get Managers, Admins, Directors etc involved in IT Security within your company….by giving them a framework. You govern the entire process. Now you have data across all areas of IT Security that marries everyone’s opinion to an actual score. By everyone’s opinion I mean Auditor opinion, Staff opinion, favorite IT Security VAR’s opinion, etc. You have one score. Yeah!

What does this look like in more detail?

The key above is to measure actual risk based on the real capabilities in specific security domains. In my opinion this will only benefit you the CIO and your direct reports, auditor opinions, VAR opinions, etc.

What about the CFO, CEO, and Board?

The key is to bridge this data so that you can present it to a CFO, CEO, and Board. This has been the biggest issue. The standard question they all have is, “I spend all this money on IT Security and we are still having these problems…”

Now is time to show the consolidation of the data based on Risk, Budget, Priority, and Time Frame. This view shows 49 different security domains and brings the Risk graph and priority graph together into one visual tool.

I have seen this work wonders with a CFO and CEO as far as distilling complexity of IT Security into focus parts that need attention and funding.

These are my thoughts on new CIO IT Security Fighting Techniques. What are yours?

You can reach Bill Murphy here at