How to apply Sun Tzu’s ‘The Art of War’ to cybersecurity

Some of the world’s most successful cybersecurity experts and professionals have embraced Sun Tzu’s “The Art of War” for its themes and guidance on how to prepare for and manage conflict. Much of it focuses on how to outsmart opponents without engaging in battle. It is more relevant now than ever, as the major cyberattacks of the past year demonstrate that adversaries arguably have the upper hand.

Most organizations are more susceptible to compromise because they fail to understand what they are actually protecting. Unless a chief information security officer's (CISO) tenure predates the inception of computing at a company, they are inheriting its established security programs and concepts. Many CISOs are hesitant to make significant changes early on to avoid disruption. This is problematic because a security program built on an unstable foundation ultimately leads to erosion and leaves a company ill-prepared for conflict.

Although it was published nearly 3,000 years ago, the lessons found in “The Art of War” can help today’s security leaders establish core security tenets to minimize the opportunity for compromise. Applying the Sun Tzu approach to cybersecurity gives organizations the awareness of what to look for, what vulnerabilities create the most risk, and how to implement the appropriate incident response procedures.

While nearly all of the treatise’s principles apply to cybersecurity, focusing on the following three will deliver a significant impact when it comes to leveling the battlefield.

“Know thy self, know thy enemy.”

This principle relates to the importance of preparation, which begins with identifying business-critical assets and understanding and prioritizing risk.

A net-new CISO must spend their first 3-6 months developing a detailed comprehension of the business and asking difficult introspective questions. This means auditing every function of the company, such as sales and manufacturing processes, operations, and how different groups and organizations communicate to clearly understand the “crown jewel” data most important to the business.

Rigorously analyzing the business will uncover potential gaps and blind spots in the security architecture that require further attention and augmentation. This will also reveal if the company’s approach to security has been to establish a secure foundation and build upon it or merely check the boxes from a compliance standpoint.

Once the CISO understands gaps in the security architecture, the next component of “know thy self” is working with the board and executive team to arrive at a collective understanding of what risks are most concerning. Security is measuring risk with business continuity in mind. Finding out what keeps the company’s leadership up at night helps the CISO prioritize their efforts based on the organization’s level of risk tolerance.

There is no universal approach to risk tolerance because each business has a set of unique circumstances and a different mission. This makes alignment between the leadership and security teams crucial because executive and board priorities will vary based on the company’s mission, as will the assets a CISO is charged with protecting.

With the “know thy self” foundation in place, security leaders are in a better position to “know thy enemy.” It provides companies with a basis to classify the adversaries most likely to target them. For example, a government entity securing classified information on sensitive assets that are going to operationalize an intelligence community is likely most concerned with state-sponsored attackers whose motives are likely espionage or disruption of capabilities. Cybercriminals are generally monetarily focused and would be of primary concern to a financial services provider, retailers or others that deal with large numbers of financial transactions. Then there is always the low-hanging fruit, any organization with an immature security posture can be susceptible to those who opportunistically exploit any vulnerability they can find.

“Tactics without strategy is the noise before defeat.”

Unfortunately, in this day and age, compromise is inevitable. How a business responds to incidents is what will determine its cyber resiliency. According to Sun Tzu, attempting to implement a solution without a plan of action is a recipe for disaster. Most cybersecurity leaders divide their attention between developing a fundamental strategy for their organization and deploying the latest detection and prevention solutions that claim to deliver complete protection. This leads to gaps in the security posture and an eventual compromise from something simple or simply overlooked, like a weak and reused password without multi-factor authentication.

No amount of technology can overcome the absence of a well-developed incident response plan. Cybersecurity investigations are the most critical component because they provide the necessary context and information for remediation. Chasing the latest shiny object leads to tool bloat, which results in inefficient investigations, longer mean time to respond, and more time for adversaries to dwell in an environment and move laterally to aggregate and exfiltrate data.

CISOs should focus on the end-to-end observability of their security postures and build efficiency into their investigations. This enables organizations to rapidly identify the scope and impact of a breach and generate a high-confidence outcome that confirms that the incident is benign, minimal, or severe - and more quickly begin taking the appropriate response actions to contain the breach and identify its origin. The average time to detect and contain a data breach caused by a malicious actor is 315 days. However, organizations that contain a breach in less than 200 days save an average of $1.12 million compared to those that do not.

“Subdue the enemy without fighting.”

Sun Tzu argues that the best tacticians are those who can control situations through intelligence and leverage information to dictate the choices of their adversaries. Once an organization establishes a complete understanding of its attack surface, it can deploy security controls that protect critical assets.

Security teams need to use the proper protocols to set an activity baseline, ensuring analysts can determine outliers and identify critical access infiltration. This also allows SOC teams to enhance detection and monitoring processes by quickly identifying when things are awry to mitigate further attacks and attack methods.

If security leaders already “know thy enemy,” these processes enable them to learn their adversaries’ capabilities and the techniques enemies will use to infiltrate their environments. Once a security team ascertains this information, it can run these scenarios on its own attack surface to prepare. From here, organizations can strengthen their preventative measures and eradicate dormant assets from their ecosystems that could weaken the security posture. Threat actors only need to be successful once in their attempts to cause significant disruption, so it is incumbent upon the CISO to remain diligent in gathering and leveraging this intel.

Cybersecurity is a lifecycle that is constantly evolving, and there is not a single one-size-fits-all approach. Organizations must take what they learn from each incident, investigation, and practice mission to fortify their foundation. This is not a one-time operation but rather a continuous preparation loop that helps minimize the chance of future compromise. Taking lessons from “The Art of War,” the more a CISO and the security team can do to not overlook the entire strategy of the program, the more secure the organization will be.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.