Tom & Jerry. And Risk Management.

Let’s face it, folks. The world of information security can get pretty dry sometimes. Phishing scams, zero-day exploits, vulnerability assessments – it’s enough to put anyone to sleep. But what if I told you there was a wealth of knowledge hidden within the chaotic world of everyone’s favorite childhood cartoon cat and mouse?

That’s right, I’m talking about Tom & Jerry.

As a grizzled InfoSec comrade, who has spent more years battling cyber adversaries than Tom spent fruitlessly chasing Jerry, one thing has become crystal clear – effective risk management ain’t no game. It’s a merciless fight for survival against threat actors who are as relentless as that darn mouse.

Just like Tom could never seem to take a break from Jerry’s shenanigans, we infosec warriors don’t get any vacations from the onslaught of cyber-hostilities. Jet over to Maui and you’ll likely get rudely dragged back by some zero-day hitting the fan back home. Enjoy a mimosa brunch and some CISO Slack channel is blowing up over a nasty ransomware incident.

But I digress…despite being enraged by their constant interruptions to my R&R, Jerry and his mousey ilk have actually been unexpected mentors of sorts. For beneath all the Acme products gone awry and furry fisticuffs, their legendary battles contain nuggets of wisdom for us risk management devotees. So grab some popcorn (or better yet a hi-ball to dull the lingering Incident Response PTSD) as we explore how the escapades of this classic cat-and-mouse duo serve up compelling risk leadership lessons.

Lesson 1: Know Thy Enemy’s MO

Study the adversary relentlessly until you can map their TTPs down to their morning covfefe routines. It’s Threat Modeling 101 – understanding opposing motivations, capabilities, and behavioral patterns is pivotal to building a formidable defense. Otherwise you’re just aimlessly deploying controls into the void.

In Tom & Jerry’s universe, this maxim plays out with Tom spending decades mastering the art of Jerry-ology. Over innumerable chase cycles, Tom has honed an encyclopedic mind for Jerry’s tricks, likes, hidey-holes, that all-too-predictable desire to chomp on freshly placed cheese. Tom’s attacker intel on his mouse nemesis is second to none.

For us in the cyber realm, that translates to having an elite threat research squad who eat, sleep, and breathe adversary behavioristics. Those freaky cyberpunk red teamers and purple team hybrids who make you feel like you’re at a DEF CON mosh pit. The folks who can rattle off the TTP permutations behind the latest Conti or Wizard Spider campaigns as casually as LeBron James running iso plays.

Building that intricate adversary wisdom elevates your defense posture several notches. Just like Tom’s hyper-vigilance helps him spot that buttery snack being used as a decoy for some mousetrap. Predictive capabilities like that will keep your SOC hawks perennially unruffled during even the craziest crunch periods.

Lesson 2: Keep Evolving Those Countermeasures

Alright, so Tom knows Jerry’s oeuvre inside-out. But present-day Jerry is hardly a static foe – his tactics, strategies and improvisational skills continually level up after every defeat. Ditto for cyber-villains who are perpetually retooling their arsenals with new-fangled exploits custom-crafted for max disruptive impact. Today’s silver bullet control is tomorrow’s expendable pebble.

So even as Tom concocts increasingly convoluted mousetrap contraptions like some eccentric Rube Goldberg savant, Jerry’s maddening adaptability keeps nullifying each scheme. One episode he might be dodging labyrinthine armed traps, the next he’s defeating a tricycle-mounted crossbow through some bafflingly nimble deke. The cat just can’t seem to get ahead of his scampering, always-shapeshifting opponent.

That dynamic is all too reminiscent of our uphill battles in cyberspace. Just when you felt reasonably confident walling off an entire attack vector (like log4shell or some hot Azure vulnerability), those devious threat amps go upending the game with some novel exploitation of once innocuous binaries or esoteric protocol handlers. Your front-line defenders end up faithfully executing that grim ritualistic update cycle as they scramble to deploy patches, tweak analytics rules, retune anomaly models.

The painful reality we face is that a Prevention Mindset alone isn’t going to cut it against these slippery adversaries. Gotta layer it up with equally robust Detection and speedy Incident Response capabilities that parallel the agility of Jerry and his wily cohorts. Resilient risk management means embracing an evolutionary DevSecOps ethos where all facets of defense dynamically and continually morph to stay ahead of the curve.

It’s a mindset that applies to every control tier – from pre-emptive Vulnerability & Threat Management programs, to proactive Threat Hunting ops, all the way to having a well-oiled Recovery runbook ready for inevitable breaches. That CISO state of paranoia where you’re perpetually rolling out your Next Big Security Initiative because the last panacea already feels stale and dated. If it hurts the budget, just remember – it’s either that or ending up like poor Tom deploying increasingly futile and extravagant traps while Jerry merrily stays one step ahead.

Lesson 3: Always Respect Existential Threats

Despite Tom’s vast physical superiority and deployment of all manners of traps, cages, and guided munitions, that tenacious little Jerry persistently lives to fight another day. How does this scrawny, feeble rodent keep defying near-certain doom and escaping the cat’s clutches by the skin of his fur?

One core reason – his unwavering self-belief. That defiant pluckiness which allows him to stay resolute even when the prospects appear grim beyond hope. While Tom often slips into rash overconfidence and complacency after some near-victories, Jerry maintains a perennially paranoid stance. He never stops probing for potential cracks or underestimating what corners of Tom’s defenses could be subverted with the right improvisational ingenuity.

It’s a posture that perfectly encapsulates the best practice of treating even “minor” security threats with the utmost seriousness until eliminated. The same outlook that forms the bedrock of Assume Breach mentalities, Zero Trust architectures, and vigorous Vulnerability Management disciplines. Because you just know that the moment you arrogantly dismiss any peculiar alert or misconfigured ACL as “too trivial to worry about”, some crafty threat actor out there will find a way to compose it into a complex Venus Flytrap.

We’ve witnessed these harsh lessons play out time and again over the decades. From the inter-galactic face-palm around that Microsoft bluescreen smilеy to more recent humbling sagas like SolarWinds or Log4Shell. Seemingly minor coding oversights or misconfigurations that malicious actors twisted into full-fledged digital doomsdays. All due to some organization making the mistake of underestimating the sheer creative force that can erupt through the combination of human ingenuity and adversary incentives.

Just like Tom learns the hard way – dismiss an opponent at your own peril, no matter how powerless they may outwardly seem. Better to sip that Whisker’s Security Kool-Aid and treat every anomaly with the alarm it could potentially escalate into if left unchecked. Because those smug overconfident cats get caught catnapping too often when insignificant-seeming issues rapidly blossom into hair-raising disasters.

Lesson 4: Double Down on Resilient Core Strengths

Now despite Tom & Jerry’s perpetually escalating arms race of one-upmanship tactics, there are some foundational properties about each combatant that remain constant across every installment of the saga. No matter how innovative their counter-moves, Tom will always rely on his substantial physical prowess, resourcefulness, and dogged tenacity to keep the upper hand against his pesky foe. While Jerry’s petite stature and ready access to cramped spaces gives him persistent built-in advantages of maneuverability and stealth that no bulked-up feline brawn can fully negate.

Cybersecurity orthodoxy enshrines similar immutable principles and best practices that persist across cycles – the security bedrock upon which all resilient defenses are constructed. Call it a “Never Stop Strengthening Your Base” mentality that counterbalances the perpetual innovation required on the front lines.

After all, attackers still need to eventually gain Execution, Escalate Privileges, plant Persistence hooks, and set up that coveted C2 channel to exfiltrate data. On the blue side, sound security engineering mandates architecting Least Privileged processes, strictly enforcing Identity Controls, diligently patching and hardening attack surfaces, and adhering to core principles like Segregation of Duties. Alongside robust Monitoring, Incident Response runbooks, and Backup/Recovery processes to ensure resilience.

These eternally critical Cyber Defense roots are metaphorically akin to Tom’s crushing physical might and Jerry’s crafty survivalism. Competencies you never let atrophy even as you adapt your countermeasures on the front lines. Because no matter how innovative attacks get, an adversary’s supremacy quickly fizzles if their initial foothold fails to gain traction due to properly enforced foundational safeguards.

The lesson parallels what military generals preach – reinforce those core fighting strengths rooted in discipline, preparation, and fundamentals even as you trailblaze novel battle tactics. After all, when a blitzkrieg engulfs your operations, it’s those Ready Warfighter conditionals that will make the difference between crumbling catastrophically versus absorbing the impact and bouncing back resiliently.

Lesson 5: Find Your Tolerable “Steady State” Risk Equilibrium

Let’s ponder this – if we accept that adversary spats ad infinitum will be the norm for Tom and Jerry’s unending rivalry (and perhaps cyber risk management by extension), what exactly would signal “victory” for either side? Does Tom’s endgame entail gruesomely skewering poor Jerry once and for all? Or does the mouse faction aspire to ethnically purge all cats from the face of the planet?

Most would agree that such resulting scenarios would fall well outside the grounds of ethical acceptability for a classic family cartoon. You can perhaps make a case that in the wacky world of animated hijinks, levels of over-the-top violence get continually normalized a la Wile E. Coyote antics. But through that lighthearted lens, some form of lasting hostility between the two camps does seem an innate component of the premise.

Instead, perhaps the ideal endgame we should be rooting for is some sort of “Steady State” environment where neither side’s existence gets perpetually threatened, but they agree to mutually deterred co-existence within tolerable bounds. An equilibrium that respects each combatant’s equities while curbing the materiality of impacts from further clashes.

Sure, an errant chase or two still flares up given the overarching adversarial dynamics in play. But neither faction’s assets or well-being is subject to existentially catastrophic disruption. Peace through deterrence if you will – the cat and mouse equivalent of “eTrust” (entente of Trusted Hostilities).

We see glimpses of this evolved status quo during rare instances where Tom and Jerry share a coveted snack or temporarily align against a common threat. But for the most part, they remain mired in a perpetual cycle of risks erupting into impacts erupting into hasty response and recovery efforts.

Sound disturbingly similar to the cybersecurity realities baked into most modern enterprises? It’s a grim truth that we operate in a world where adversaries and associated risks will never be eliminated entirely. Some inevitability of malware, data leaks, insider hijinks simply has to be accommodated within ongoing risk management budgets and programs.

So just like Tom and Jerry navigate their endless rivalry, the smart CISO is hell-bent on negotiating and calibrating an acceptable “Steady State” equilibrium for co-existing with persistent threats. A state where the inevitability of intrusions doesn’t balloon into full-blown existential breach scenarios through judicious orchestration of robust preventative, detective, and response capabilities.

It’s a relentless juggling act to balance investments, implement all the right defense-in-depth processes, tech stacks and hygiene fundamentals to keep impacts firmly within the bounds of tolerated Risk Appetites. Sure, the budget ulcers associated with it all make you age faster than Tom getting clobbered by an Acme grand piano. But it beats getting owned by hairbrained attacks and reducng your beloved Fortune 500 to rubble.

The Road Ahead

Well, security industry professionals, there you have it. The seminal source of risk management philosophy boiled down into a masterclass delivered by the legendary cat-and-mouse duo of Tom and Jerry.

Who knew the wacky antics of an anthropomorphized cat perpetually chasing a snickering, cheese-loving rodent could yield such a wealth of insights? We unearthed profound lessons around studying adversaries, nurturing evolutionary resilience in defenses, respecting existential threats, fortifying core preventative pillars, and negotiating sustainable steady-state deterrence with indefatigable attackers.

Of course, I’m hardly the first thinker to deconstruct the hidden layers under Tom & Jerry’s zany surface narratives. From game theorists to foreign policy mavens, from military strategists to business management philosophers, academics across domains have drawn compelling analyses from these vintage artifacts of animated mayhem. My own musings are simply the latest respectful contribution to this august school of Jerry-an thought.

But Enough navel-gazing and theoretical musing already. Those break-room war stories of ICS breaches and APT28 shenanigans aren’t going to narrate themselves. Time to switch hats from the lofty Infosec Scholar back to being that grizzled blue-team commando who protects the realm from malicious cat-and-mouse games.

The battles ahead will surely be intense, the stakes higher than ever. But thanks to our honorary Toon mentors, you now wield the battle-tested wisdom to play a relentless and resilient game of cat-and-mouse against whatever the threat landscape throws your way.

Just remember – build that adversary empathy, evolve your countermeasures perpetually, take zero chances with seemingly minor dangers, shore up foundations between that tactical maneuvering, and always aspire to reach a stable steady state detente. Stay committed to that universal philosophy and you’ll soon find yourself trading victory smokes with Jerry rather than getting flattened comically like Tom under a fallen dresser.

Now if you’ll excuse me, I have a date with my Infosec team to review backdoor behavioral analytics and brainstorm StackGuarded service defenses.

The antics of our advisory council chairs Thom and Geraldine await!