Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

How to apply Sun Tzu’s ‘The Art of War’ to cybersecurity

By Andrew Maloney
cyber-data-protection-freepik456.jpg
September 13, 2021

Some of the world’s most successful cybersecurity experts and professionals have embraced Sun Tzu’s “The Art of War” for its themes and guidance on how to prepare for and manage conflict. Much of it focuses on how to outsmart opponents without engaging in battle. It is more relevant now than ever, as the major cyberattacks of the past year demonstrate that adversaries arguably have the upper hand.


Most organizations are more susceptible to compromise because they fail to understand what they are actually protecting. Unless a chief information security officer's (CISO) tenure predates the inception of computing at a company, they are inheriting its established security programs and concepts. Many CISOs are hesitant to make significant changes early on to avoid disruption. This is problematic because a security program built on an unstable foundation ultimately leads to erosion and leaves a company ill-prepared for conflict.


Although it was published nearly 3,000 years ago, the lessons found in “The Art of War” can help today’s security leaders establish core security tenets to minimize the opportunity for compromise. Applying the Sun Tzu approach to cybersecurity gives organizations the awareness of what to look for, what vulnerabilities create the most risk, and how to implement the appropriate incident response procedures. 


While nearly all of the treatise’s principles apply to cybersecurity, focusing on the following three will deliver a significant impact when it comes to leveling the battlefield.


“Know thy self, know thy enemy.”


This principle relates to the importance of preparation, which begins with identifying business-critical assets and understanding and prioritizing risk. 


A net-new CISO must spend their first 3-6 months developing a detailed comprehension of the business and asking difficult introspective questions. This means auditing every function of the company, such as sales and manufacturing processes, operations, and how different groups and organizations communicate to clearly understand the “crown jewel” data most important to the business. 


Rigorously analyzing the business will uncover potential gaps and blind spots in the security architecture that require further attention and augmentation. This will also reveal if the company’s approach to security has been to establish a secure foundation and build upon it or merely check the boxes from a compliance standpoint.


Once the CISO understands gaps in the security architecture, the next component of “know thy self” is working with the board and executive team to arrive at a collective understanding of what risks are most concerning. Security is measuring risk with business continuity in mind. Finding out what keeps the company’s leadership up at night helps the CISO prioritize their efforts based on the organization’s level of risk tolerance. 


There is no universal approach to risk tolerance because each business has a set of unique circumstances and a different mission. This makes alignment between the leadership and security teams crucial because executive and board priorities will vary based on the company’s mission, as will the assets a CISO is charged with protecting.


With the “know thy self” foundation in place, security leaders are in a better position to “know thy enemy.” It provides companies with a basis to classify the adversaries most likely to target them. For example, a government entity securing classified information on sensitive assets that are going to operationalize an intelligence community is likely most concerned with state-sponsored attackers whose motives are likely espionage or disruption of capabilities. Cybercriminals are generally monetarily focused and would be of primary concern to a financial services provider, retailers or others that deal with large numbers of financial transactions. Then there is always the low-hanging fruit, any organization with an immature security posture can be susceptible to those who opportunistically exploit any vulnerability they can find.


“Tactics without strategy is the noise before defeat.”


Unfortunately, in this day and age, compromise is inevitable. How a business responds to incidents is what will determine its cyber resiliency. According to Sun Tzu, attempting to implement a solution without a plan of action is a recipe for disaster. Most cybersecurity leaders divide their attention between developing a fundamental strategy for their organization and deploying the latest detection and prevention solutions that claim to deliver complete protection. This leads to gaps in the security posture and an eventual compromise from something simple or simply overlooked, like a weak and reused password without multi-factor authentication. 


No amount of technology can overcome the absence of a well-developed incident response plan. Cybersecurity investigations are the most critical component because they provide the necessary context and information for remediation. Chasing the latest shiny object leads to tool bloat, which results in inefficient investigations, longer mean time to respond, and more time for adversaries to dwell in an environment and move laterally to aggregate and exfiltrate data. 


CISOs should focus on the end-to-end observability of their security postures and build efficiency into their investigations. This enables organizations to rapidly identify the scope and impact of a breach and generate a high-confidence outcome that confirms that the incident is benign, minimal, or severe - and more quickly begin taking the appropriate response actions to contain the breach and identify its origin. The average time to detect and contain a data breach caused by a malicious actor is 315 days. However, organizations that contain a breach in less than 200 days save an average of $1.12 million compared to those that do not.



“Subdue the enemy without fighting.”


Sun Tzu argues that the best tacticians are those who can control situations through intelligence and leverage information to dictate the choices of their adversaries. Once an organization establishes a complete understanding of its attack surface, it can deploy security controls that protect critical assets. 


Security teams need to use the proper protocols to set an activity baseline, ensuring analysts can determine outliers and identify critical access infiltration. This also allows SOC teams to enhance detection and monitoring processes by quickly identifying when things are awry to mitigate further attacks and attack methods.


If security leaders already “know thy enemy,” these processes enable them to learn their adversaries’ capabilities and the techniques enemies will use to infiltrate their environments. Once a security team ascertains this information, it can run these scenarios on its own attack surface to prepare. From here, organizations can strengthen their preventative measures and eradicate dormant assets from their ecosystems that could weaken the security posture. Threat actors only need to be successful once in their attempts to cause significant disruption, so it is incumbent upon the CISO to remain diligent in gathering and leveraging this intel. 


Cybersecurity is a lifecycle that is constantly evolving, and there is not a single one-size-fits-all approach. Organizations must take what they learn from each incident, investigation, and practice mission to fortify their foundation. This is not a one-time operation but rather a continuous preparation loop that helps minimize the chance of future compromise. Taking lessons from “The Art of War,” the more a CISO and the security team can do to not overlook the entire strategy of the program, the more secure the organization will be.

KEYWORDS: Chief Information Security Officer (CISO) cyber security incident response risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Andrew Maloney, CISSP, is the co-founder and chief operating officer of Query.AI, where he is responsible for establishing and delivering on Query.AI’s go-to-market and business operations strategy. Maloney has over 20 years of diverse leadership experience, most recently serving as a founding executive and SVP of field operations at Jask (acquired by Sumo Logic). His experience also includes other high-level positions in companies that include Niara (acquired by HPE), Hewlett Packard (ESP), and ArcSight (acquired by HP). Maloney is also a decorated veteran of the U.S. Air Force.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0121-cyber-Feat-slide1_900px

    The art of targeted phishing: How not to get hooked

    See More
  • phishing

    61% of business don’t apply basic password security techniques, here’s how to

    See More
  • Gaps in Cybersecurity Programs

    War at Home: How U.S. Corporations are on the Front Lines of the Silent War on Privacy

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing