What Jiu-Jitsu Tells Us About DFARS Compliance, CMMC Regulations
The Brazilian martial art of jiu-jitsu is not a goal, but a path. It can take well over a decade from starting as a novice to earning a coveted black belt. Just reaching the first belt beyond white – a blue belt – requires as many as a couple of years of tenacity.
It’s like gaining compliance in cybersecurity. Perhaps your organization devoted years of effort and millions of dollars to get CMMC compliance. The impulse may be to declare victory and shift your focus elsewhere. Or maybe you’re happy with simply maintaining DFARS compliance requirements and such.
In the same way, it takes so much time and effort just to get to that first earned belt that once a blue belt is won, many belt-holders bow out. They think they’ve done enough. But there’s so much more before them that they’re failing to see, overcome, and win.
DFARS Compliance is a Stage, Not a Goal
You must go beyond DFARS compliance. Much like a blue belt, compliance is not an end unto itself. You need to believe that you keep going to your own black belt: actual, measurable effectiveness through leveraging the right mix of in house capabilities, holistic enterprise risk management, cloud technologies and managed security services.
Staying as good as you were as a blue belt will never be enough. The constantly evolving challenges in cyberspace ensure that.
Keep going and gain maturity; a place where you really start to understand what you are doing. Then you must journey to the next level by thinking of things in terms of cyber risk, and not just passing a CMMC compliance audit. Focus on evaluating your cybersecurity program based on your specific design basis threat scenarios. You need to begin seeing auditors as the annual check up, while you’re creating something larger than that: a movement.
Yes, a movement, with the aim of creating unconventional approaches to what have become conventional problems in the fifth domain of war: cyberspace. A conventional mindset just won’t work, because you’re not facing the stereotype of a haphazard fanatic. Rather, aiming for you is a sophisticated and diverse group of adversaries, playing a game of digital 3D chess.
Related Reading: How MSSPs Help Defense Contractors Meet DFARS Requirements
Making a Movement
The only way for cybersecurity efforts to gain real traction as a movement (and not just the false security of an auditor’s bureaucratic approval) is by connecting it to purpose. Focusing on purpose and not procedures can create a competitive advantage in this cyberspace war and have a lasting effect on this broad spectrum of threats. It creates energy to fuel ongoing focus to a never-ending problem.
Building purpose into the process can be done by prioritizing:
- Connecting like-minded people to the purpose, teammates who bond with and respect one another;
- Directing those people to a tangible impact;
- Encouraging them to solve big problems in unconventional ways;
- Giving them all the tools so they can see a broad spectrum impact; and providing accountability (positive or negative) along the way.
Having that mindset of shared purpose for tangible outcome is critical for each team member. As Delta Force Founder Col. ‘Chargin’ Charlie Beckwith once said, it’s better to go down the river with seven studs than a hundred (expletives). That core can inspire others to come together and contribute the best they can, with purpose.
Each contributor doesn’t have to be at the top faction of the best one percent. The top tier can inspire those not living it, ensuring that the entire team is moving in the same direction even if each member doesn’t bring the same level of capabilities. The key is to be something to aspire to, and then they just have to do their part and not necessarily the hardest missions.
After You’re Done, You’re Not
Cybersecurity leaders need to be able to solve all the problems in an integrated way that achieves the desired outcome. Once you get there, remember that it only lasts a day because the adversaries who are targeting you are constantly evolving their tactics.
That’s why you need a movement: to keep moving based on the motivation of purpose, not just process.
And it can be done. Leaders see possibilities but not limits. We put a man on the moon. We have every advantage and the best minds in the world. There’s no reason why we should spend billions of dollars on intellectual property just to give it away to committed and capable adversaries simply because of misplaced focus.
If we get to viewing cybersecurity not as a task but as a movement, we can make that moonshot. We can reach that black belt. And, when we get there we will realize that is just the beginning…
Centralized Visibility – Distributed Control: C- Suite leaders and a cyber resilient ecosystem in critical business sectors
Ever wonder how effective your cyber program is? You definitely should. As senior leaders, you have a fiduciary responsibility to manage risk, but as leaders in the defense industrial base, state government, energy, critical manufacturing, financial services,...
If you’re still waiting for a cybersecurity 9/11 or a ransomware Pearl Harbor to punch us in the gut, wake up. The equivalent has already happened. More than one, in fact. Maybe SolarWinds and Colonial Pipeline1 didn’t have the same devastating visuals of...
There were no SOCs when Sun Tzu wrote “The Art of War” more than 2,500 years ago. The ancient Chinese warrior’s old principles can empower new cybersecurity attitudes and approaches to fighting our newest wars in the digital realm. And make no...