Cybersecurity may feel like something new and special, but it’s merely a new application of concepts the world has seen countless times before. Today, security teams can apply ancient lessons from the battlefield to strengthen their cybersecurity programs. Five key principles from Sun Tzu’s The Art of War hold wisdom today.
Applying Sun Tzu’s Principles of Warfare to Modern Cybersecurity
The Art of War by Sun Tzu is considered one of the most influential and enduring classics on military strategy. This ancient Chinese text has guided generals and leaders for over 5000 years, despite dramatic changes in the nature of warfare over the centuries.
As we enter a new era of warfare, fought with bits and bytes over computer networks, many of Sun Tzu’s core principles maintain their relevance.
Principle 1: Focus On Victory
Sun Tzu emphasized the critical importance of having a clear vision of victory before engaging in war. Without defining what victory means for that specific conflict, it is impossible to achieve a victorious outcome. You end up blindly swinging your sword rather than executing a purposeful strategy.
This lesson applies directly to cybersecurity. Before implementing controls or selecting security tools, we need to define what victory means for our specific organization. What does a “win” look like? Some key steps toward this definition:
Create a vision statement for the security team – This gives your program meaning, grounds it in ideals bigger than any individual, and defines a destination to rally behind. Having a clear vision facilitates everything from recruiting talent to selecting technologies. It provides long-term direction.
Discuss acceptable losses and risk thresholds with leadership – No war ever avoids casualties, and cybersecurity is no different. We need to frankly discuss with boards and executives how much disruption the organization is willing to tolerate in pursuit of its business goals. This is where things such as risk capacity helps us to establish parameters for victory. Perhaps 10% revenue loss in a year is acceptable, but 20% the organization could not recover from. Defining these thresholds allows you to prioritize and justify security investments.
Educate all staff on victory and how they contribute – Getting broad buy-in is key. Staff must see how their daily actions map into achieving the defined victory for the organization. Create internal marketing campaigns, training programs, and other ways to engage employees with security imperatives based around your victory definition. This facilitates coordination and promotes appropriate corporate governance.
Principle 2: Know Yourself, Know Your Enemy
A key Sun Tzu principle is understanding yourself and your enemy. In cybersecurity, “knowing yourself” equates to comprehensively understanding your assets, capabilities, and the threats you face. Let’s break it down:
Know your revenue – Every organization in the world exists because they can generate revenue, it’s vital that we protect it. Follow the money trails that attackers aim to disrupt, from customer transactions to supplier relationships. Meet with Finance to map out your revenue cycles and business model. It’s a sad reality that many security leaders are not financially literate, and it must change.
Know your capabilities – Have clarity on where you can visibly detect threats, technically disrupt attacks in progress, and rapidly recover normal operations after an incident. No, your capabilities are not just the tools you bought from vendors in the Magic Quadrant; they are the outcomes you can drive with your collective people, processes, and technologies.
Know your enemies capabilities – You can’t defend against everything. Take time to nderstand what type of adversaries are most likely to target your organization. Then understand what tools, tactics, and procedures (TTPs) they are most likely to use in an eventual attack.
Focus on the intersection – Every war is won and lost at the intersection of capabilities, where one party can drive an outcome the other cannot stop. This is where tools such as MITRE ATT&CK allow you to understand and compare your capabilities to those of your adversaries. What tactics can your adversary use that you cannot detect, disrupt, or recover?
Principle 3: Know Your Allies
In the complex conflicts of today, victory is rarely achieved alone. It is coalition-based. As Sun Tzu noted, wise leaders expand their capabilities by choosing allies and partners judiciously.
Cybersecurity programs similarly need external partners, from vendors to government entities. But these allies must be vetted and selected carefully.
- Do you even need an ally? – Cybersecurity has become so commoditized that we always feel as though we need the latest and greatest *insert newest acronym here* to detect the latest threats. Focus again on your capabilities, and where adding an ally will enable a capability you need that cannot be otherwise economically delivered.
- Come down from the ivory tower – With thousands of vendors and limited budgets, it can often be tempting to focus on the most aggressive sales pitches, variety of “gifts” floating around, or the most entertaining booth demos. Instead, put potential partners through a rigorous, objective evaluation process focused on actual capabilities, not just flashy tools. Democratize the process by involving the whole team as key decision makers and require proof that they can improve your capabilities in meaningful ways.
- Leverage government services – State, local, and federal government entities offer a wealth of cybersecurity resources, information sharing, and coordination – especially for critical infrastructure sectors and small organizations with limited budgets. Do your homework to identify and take advantage of relevant government programs and establish relationships with key officials.
Principle 4: Invest In Coordination
Sun Tzu emphasized the importance of coordinating the entire war effort, from supreme commander down to foot soldiers; everyone has a role. In cybersecurity as well, we cannot isolate security as the domain of one department. It must be woven into organizational culture and business processes. Security leaders must find ways to “enable defense from within.”
- Understand how the organization communicates – Risk registers full of technical scores mean little to business leaders. To enable coordination, use models like FAIR to quantify risks in terms of probable loss, and the financial impact. Demonstrate how security activities mitigate material business risk. This type of approach facilitates better decision making.
- Security responsibilities are part of everyone’s role – Similar to restaurant servers following basic health codes as part of their everyday jobs, if staff see security as an extra activity unrelated to their core role, they will not embed it in their workflows. Partner with your HR department to have security fundamentals a part of everyone’s performance expectations.
- Develop relationships with business leaders – Rather than saying “no” to new initiatives, help leaders make fully informed trade-off decisions about cyber risks. Arm them with information and insight about the organization and you’ll stop having to fight for a seat at the table.
Principle 5: Avoid Losing
Sun Tzu advised military leaders to avoid obvious strategic and tactical mistakes that hand easy advantages to the enemy. Cybersecurity programs should similarly focus on core incident response capabilities and fixing basic security gaps, rather than only striving for impenetrable prevention.
- Remediate the easy wins – Legacy systems past support, cloud misconfigurations, unprotected privileged accounts, etc. are prime targets that even the lowest skilled actor can exploit. As Brandon Swafford likes to say, “make secure boring again”. Don’t hand out easy advantages. Render the basic stuff as secure as possible.
- Hone detection, response, and recovery capabilities – The reality is breaches will occur. Limit damage and business disruption through solid IR capabilities that quickly detect intruders, expel them, and restore normal operations. Actually practice your response plans; you don’t want to be learning them during a live incident.
- Promote a culture of resilience – Expect setbacks when engaging in “cyber warfare”, but remain confident in your ability to recover from them. Avoid the culture of defeatism that is currently plaguing our industry and focus how we can continuously evolve our defense.
With a clear vision of victory, knowing yourself and your enemies, trusted allies, organization-wide engagement, and avoiding losing, The Art of War provides a timeless blueprint for success in any warfare domain, even those Sun Tzu never could have imagined.
Michael Meis
Michael Meis is the Founder of Kelevra and ACISO at The University of Kansas Health System.