I grew up in the country for the most part. I did live in a neighborhood for a while but we soon bought a small farm and moved “off the beaten path”. I spent my days exploring the woods, hunting, fishing, sport shooting, trapping, frog gigging, building underground forts and tree houses. My parents both worked full time and sometimes when both of them had to work late there wouldn’t be anything to eat. It wasn’t unusual for me to come home from school, grab the shotgun and head off into the woods looking for some squirrel to shoot for dinner.

I learned a lot about how to get along by myself during this time. I became a crack shot with a rifle and could make a meal out of most anything that I could find in the woods. One thing that baffled me though was hitting a moving target with a shotgun. I could do it easily with a rifle but for some reason I couldn’t hit the side of a moving barn with a shotgun. So needless to say the few times I did go skeet shooting I might as well have picked up each of the disc and thrown them as far as I could and watched them break. Then I could have picked up my shotgun and fired off 100 round or so into the air just for fun.

The other day IBM invited me to a event that they were hosting at Barnsley Gardens just north of Atlanta. It included breakfast, a few talks on some of their security and systems managements offerings, lunch and an afternoon of skeet shooting with the guys from Orvis. The afternoon started off with me being quiet surprised. The guys from Orvis gave us a few pointers and I grabbed a shotgun and walked up to the shooting cage. When I was ready I yelled “pull” and out launched a clay disc. It went up and I followed it with my barrel. It peaked and started it’s downward descent and I pulled the trigger and watched the disc shatter into lots of little pieces. I hit 3 of the 4 practice discs. Then the real fun began. They broke us up into groups of 4 and we split up and went to different shooting stations. Since I was an experienced shooter they made me “team captain” and I was supposed to assist any of my team mates that needed help with getting their guns loaded or anything else. Since I was team captain and had done pretty good in practice the guys told me to go first and “show them how it was done”.

Our guide had moved to the “Trappers Nest” to load and launch the skeet. He first launched a couple so we could see how they would fly at this particular station. Instead of going mostly up and down it flew across the pond in front of us much like a bird would fly. Now that I had the flight path in mind I loaded my gun, got into firing position and yelled “pull”. The disc floated across the pond, I took aim, fired………….. and watched the disc continue on it’s path unscathed. Then came number 2………… same thing. Out of 10 disc I managed to hit 2. Each of the 10 stations presented us with a different shooting challenge. Some I did pretty well at and some I was lucky to hit one or two. After all 100 rounds had been fired I  had hit about 40 targets. Not what I would have wanted but I was satisfied, plus I had a blast doing it.

After it was over and my mind started to settle back into “security” mode it occurred to me that the different challenges and scenarios that I faced shooting skeet were similar to challenges and scenarios that we face in information security (OK, I’m stretching it a bit but stick with me and hopefully I’ll be able to pull this off). What’s more is that it hit me that the way some of the other shooters handled each station was similar to home some information security professionals handle the challenges that they face.

Some guys were quick to fire and others were patient, some were too patient and waited too long to act. Some were out in front of the skeet, some were behind it, other were either above or below it. Some guys emptied both barrels at one target. Some fired both rounds quickly and others were slow and steady. There were those who seemed to be shooting from the hip and those who took careful aim.

When we are doing our job we are faced with all manner of situations that require us to act, react, make decisions quickly and with little information or sometimes lots of information. How we handle these situations will determine how successful we are at our task. There are times when we have to fire quickly or we will miss our opportunity to stop an attack before it gets out of hand. There are times when it is prudent to be patient and wait and see what it happening before we pull the trigger.

The key to being successful in these scenarios requires at least one of four qualities. Skill, knowledge, instinct, luck. The “rock star” has all four of these on his/her side and the rest of us make the best our of the ones that we have. One of the stations in the skeet shoot was supposed to mimic rabbits running across a field. The Trapper would launch 1 or 2 disc in such a way that they rolled across the ground and bounced as they quickly rolled in front of you. This was the station where I saw the most frustration from some of the other shooters. Since the pattern was more erratic than most of the other stations due to the bouncing and such you really had to just shoot blindly. This is where people would unload both barrels so quickly that it often sounded like one shot. Many were extremely frustrated because it looked like it would be so easy. This is also the type of scenario that can get us in trouble at work. We often see things happening so quickly that we don’t have time to really map out a plan. We just pull both triggers and hope we hit something. This is why it’s so important to have a well designed incident response policy that you have and continue to practice regularly.

Skill, Knowledge, Instinct and Luck all play a part in  skeet shooting as well as in Information Security and we would do well to develop those that we are weakest in when it comes to information security. When you miss a target in skeet shooting the chances of it doing anything more than landing harmlessly in a pile is very low. When you miss a target in information security you risk much, much more.