Sometimes when I play table tennis I notice something strange. There are opponents I’ve played against who are objectively worse than me (less skilled, slower reaction times, etc.), but I still lose to them consistently. On the other hand, I end up winning against players who can do amazing things with their rackets. I was always puzzled by this phenomenon until today when I came across a cool idea.
The idea was in scientist Simon Ramo’s publication on tennis. He pointed out that professional and amateur tennis are fundamentally different despite having the same rules, as they are won by different factors.
According to Dr. Ramo, in professional tennis, the final result is determined by who makes more winning moves, while in amateur tennis, it’s determined by who makes more mistakes.
In professional tennis, 80% of points are won, and in amateur tennis, 80% of points are lost.
This idea is often counterintuitive. It’s natural to want to show everything we’re capable of, instead of simply trying to play decently and avoid stupid mistakes. And it seems that I fell into this trap as well.
This principle seems to apply to many other things. We often focus on trying cool new things to bring us closer to our goals, while continuing to do stupid things that have a much greater impact on final results than not trying anything cool. It would be more effective to focus on getting rid of these stupid actions.
What does all this have to do with cybersecurity? The link is actually quite direct. During the development of a secure system, it’s often more important to just not ignore security in the design stage than to implement all kinds of cool security features after the system is developed. In other words, to follow Secure by Design as an ideology.
In fact, this idea is works well with the concept of security from simplicity, which is an important trend in cybersecurity today. The idea is that the more cybersecurity tools an enterprise deploys, the less effective their defense is. For example, there’s a study showing that companies with more than 50 cybersecurity-related tools have 7% lower defense capabilities than companies with less than 50.
That’s why security should be as simple as possible. And the most natural way to reduce the complexity of security mechanisms is to implement security at the design level from the very start.
Sometimes when I play table tennis I notice something strange. There are opponents I’ve played against who are objectively worse than me (less skilled, slower reaction times, etc.), but I still lose to them consistently. On the other hand, I end up winning against players who can do amazing things with their rackets. I was always puzzled by this phenomenon until today when I came across a cool idea.
The idea was in scientist Simon Ramo’s publication on tennis. He pointed out that professional and amateur tennis are fundamentally different despite having the same rules, as they are won by different factors.
According to Dr. Ramo, in professional tennis, the final result is determined by who makes more winning moves, while in amateur tennis, it’s determined by who makes more mistakes.
In professional tennis, 80% of points are won, and in amateur tennis, 80% of points are lost.
This idea is often counterintuitive. It’s natural to want to show everything we’re capable of, instead of simply trying to play decently and avoid stupid mistakes. And it seems that I fell into this trap as well.
This principle seems to apply to many other things. We often focus on trying cool new things to bring us closer to our goals, while continuing to do stupid things that have a much greater impact on final results than not trying anything cool. It would be more effective to focus on getting rid of these stupid actions.
What does all this have to do with cybersecurity? The link is actually quite direct. During the development of a secure system, it’s often more important to just not ignore security in the design stage than to implement all kinds of cool security features after the system is developed. In other words, to follow Secure by Design as an ideology.
In fact, this idea is works well with the concept of security from simplicity, which is an important trend in cybersecurity today. The idea is that the more cybersecurity tools an enterprise deploys, the less effective their defense is. For example, there’s a study showing that companies with more than 50 cybersecurity-related tools have 7% lower defense capabilities than companies with less than 50.
That’s why security should be as simple as possible. And the most natural way to reduce the complexity of security mechanisms is to implement security at the design level from the very start.