The Old Man and the Tsunami: A Security Story

There’s a folk-story that all Japanese schoolchildren learn about a man called “Gohei Hamaguchi” (sometimes called just “grandfather”) who saves his village. In brief, there’s an old man who lives in a village by the sea, and one day, an earthquake hits. He’s the only person in the village to realize that a tsunami will soon follow.

He hurries to the nearby mountainside where the rice for the village is grown and sets the entire harvest aflame. All of the villagers race to the mountainside to deal with the conflagration — their rice is their most precious resource. That’s where they are — angry, but safely on higher ground — when the tsunami destroys the village. The old man is seen as a hero once it becomes clear that he set the fire to save the villagers.

This story is simple on the surface, but I call it to your attention because it offers several valuable lessons to apply to technology security. The story presupposes a balance of understanding human nature, the will to take decisive action, and adequate preparation that those responsible for security should take to heart.

Each of these elements plays a role in keeping our environments and data secure — and, frankly, they are areas that most security practitioners struggle to get right. However, understanding the lessons of the story can lead to significant improvements.

Understanding Communication

The first lesson of this story — and maybe the most subtle one –is that grandfather understood how to communicate to his audience in the most effective way, and he used that knowledge to act in their best interests.

Envision a scenario in which instead of setting the fire, he tried to convince the villagers verbally to seek higher ground. It’s possible that it might have worked. However, it’s much more likely that other things would have happened instead: There might have been debate about the best plan; disbelievers might have demanded proof; or there might have been complicated logistics, like tracking down stragglers or children. Some might have been saved in this scenario — but ultimately the delay probably would have cost lives.

However, grandfather knew how the villagers would react and used that information for maximum benefit. There are two lessons here: We must understand our audience, and strike to communicate to get the results we need.

This may seem easy, but it is harder than you might think. It first means that we must understand what’s important to our organization: what drives it and what the motivations are for folks within it. That means we must understand the business in a deep way.

In the tale, it grandfather understood his people to such a degree that he could predict the villagers’ actions. Can we get there with our business teams? Yes, but it takes work. It might involve structured exercises like business impact analysis, tabletop exercises, red team exercises, or any number of data-related techniques.

This level of understanding also means that we must communicate effectively — not only with words, but also with actions. Communication skills aren’t necessarily the ones technologists most actively seek to develop. However, as security pushes its way up the organizational stack to higher-level visibility, it’s important to excel in this area.

Drastic Action

The next lesson is the willingness to take bold action — or at least to take action commensurate with a high stakes situation. The outcome of the burning rice fields — obviously undesirable — was nothing compared to the complete loss of life of the whole village.

Implicit in making a tradeoff like that one is understanding two things: the impact and risks associated with not taking action, and countermeasures that potentially would address the concern — in short, risk management.

For many practitioners, structured risk management is like eating vegetables: We know we should do it, but we probably don’t do it as much as we should. That is, it’s maybe lower on the priority list than is optimal.

However, a thorough, systematic and workmanlike analysis of the threats and impacts in our environments not only lets practitioners better address the situation on the ground today, but also paves the way for the potential “drastic action” scenario that might be required in the event of our organization’s infosec equivalent of a tsunami.

So, if you’ve been giving risk management the back burner treatment, it might be useful to bring it to the forefront.

The Right Data

The last, and maybe most important aspect of the tsunami story is that grandfather was right. That goes unsaid, but it would have been a whole different ending for all involved if he weren’t. Had he been wrong, he’d have been remembered as the villain who burned the harvest instead of the hero who saved the village. This is an important bit to get right.

What does that mean to us? It means that our effectiveness is part and parcel of our ability to accurately — not to mention quickly — ascertain the situation at hand. That means data: data about ourselves (that is, operational metrics), the situation around us (situational awareness), and data about threat actors and their tradecraft (threat intelligence).

It’s easy to fall into the trap of letting metrics slip; after all, sometimes it can seem like it’s an exercise in authoring dashboards nobody reads. However, a “living” metrics program that is tied to actual outcomes can give us increasing confidence in the accuracy of what we think we know.

The point is, if you’re in a situation where your company’s collection of security-relevant metrics is anemic — or where the analysis you are able to perform isn’t up to par, this might be a useful area to invest time and energy.

This humble lesson about an old man and a rice fire is a very appropriate analogy for information security in business. By focusing on our ability to understand and communicate with our business partners, bolstering our risk management capability, and harnessing internal and external information, we can make strides toward building more robust security programs.