Cybersecurity Lessons from Sun Tzu’s “The Art of War”

Share This Article

According to legend (or fact, depending on who you believe), Sun Tzu was a Chinese general, writer and strategist that lived in the 5th or 6th century B.C. He is credited as the author of The Art of War, a book on military strategy that has also been adapted for use in the business world.
Many of the lessons in the book focus on alternatives to battle, such as using strategy, confusion and deceit, and most important to cybersecurity, thinking like the enemy, to understand and ultimately defeat an opponent.
Here are several lessons from The Art of War and how they apply to cybersecurity.

“The greatest victory is that which requires no battle.” 

If you suffer a cyber-attack, you are engaged in battle. You will be fighting an unseen foe that has either stolen your intellectual property, trade secrets, sensitive customer data, or financial and banking information, or has locked you out of your IT systems and ransomed your data. Your choices: fight and regain control of your systems and data or surrender and pay a ransom.

The Lesson: Being prepared against cyber-attacks is better than having to fight the battle because whether you fight or surrender, it is going to be expensive.

“In the midst of chaos, there is also opportunity.”

A cyber-attack produces chaos and shows the weak spots in your security, but in the heat of battle, there is no time for introspection. A better strategy is to simulate chaos with a “virtual cyber-attack.” These are called table top exercises, and they provide the opportunity to learn about security vulnerabilities and to make needed improvements. During these table top exercises, security problems can be identified and changes implemented, without the chaos of battle.

The Lesson: Simulating a cyber-attack can expose security weaknesses so that changes can be implemented.

“Attack is the secret of defense; defense is the planning of an attack.”

“Don’t think like a castle, think like an invader.” In order to defeat a cybercriminal, you need to think like one. Every castle can be breached, just like every security system can be breached. Instead of focusing on what keeps you safe, focus on finding the weaknesses in your protection by thinking like a cybercriminal. They are relentless and will find any exploitable crack in your castle wall to gain entry. Be proactive: digital forensics with vulnerability scans and penetration testing can help you find it before they do.

The Lesson: Thinking like the enemy allows you to see your cybersecurity through their eyes in order to find your weakness and fix it.

“If ignorant both of your enemy and yourself, you are certain to be in peril.”

This takes the last lesson to the extreme. Not understanding what security you have in place, what’s its strengths and weaknesses are, and not understanding how your enemy can (and will) attack you guarantees that eventually, you will suffer a security breach.

The Lesson: It’s important to be aware of not just your enemy, but yourself as well. Your defenses help determine if your enemy will attack, and if they do, what offense they will use against you.

“Plan for what is difficult while it is easy, do what is great while it is small.”

With cybersecurity, the best plan is always action, not reaction. Your company should have an incident response plan in place, have developed and documented security policies, be constantly monitoring technology assets for suspicious activity, and respond to threats as they occur. Acting before a cyber-attack happens is more effective, less expensive, and easier to recover from than waiting until a breach happens to put a plan together.

The Lesson: An ounce of prevention is better than a pound of cure. 

“The opportunity to secure ourselves against defeat lies in our own hands.”

This lesson from The Art of War sums it up perfectly – it is up to each company, each organization, and each individual to protect themselves against cybercriminals because they are the enemy in the war on cybersecurity. If you’d like to have a confidential conversation with one of our cybersecurity experts to improve your security posture, simply complete the form below – we’re here to help!
Are you confident in your current cyber risk strategy and execution?

Fortress helps mitigate cyber risk by helping organizations optimize the performance of their people, processes, and technology. Offering a robust co-managed solution to enhance an internal IT team’s capability, capacity, and focus, Fortress features a full suite of managed security services plus specialized services like M&A cyber due diligence, insider threat detection, Cybersecurity-as-a-Service, and proactive digital forensics. Fortress supports companies with both domestic and international operations.