Chapter 3. The Art of Our Business: The Seven Steps

If you’ve ever watched a sumo wrestling match, you’ve seen the collision that takes place between two very large bodies, each trying to push the other out of the ring. It’s a match that always ends with a big winner and a shame-faced loser. Unfortunately, the practice of InfoSec can often be like a sumo match in many ways.

The focus of this chapter is to offer up a better way—a new way unlike the traditional sumo approach. To best explain this process, I’ve likened it to the martial art of judo, in which both attacker and defender roll together and end up in a different place. It’s efficient, simple, and easily achieved.

I’ve designed my approach to building an InfoSec program as a simple, easy-to-follow, seven-step process. It has been my pocket guide for years. I’ve used it to develop a set of operating principles that guide my team members as they partner with the business. Before delving into my approach and the seven steps, let’s look at the sumo analogy in more detail.

The Sumo Approach

InfoSec teams often use their power to try to enforce security controls throughout the company, frequently among the unwilling and uneducated. The sumo analogy is especially pertinent when others in IT or engineering oppose the InfoSec team, and the two departments begin the relentless and unseen pushing and shoving match until someone “loses.”

I can’t count the number of times I’ve heard myself or other InfoSec practitioners complain about ...

Get The Cybersecurity Manager's Guide now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.