What does Sun Tzu have to do with Information Security?
I expect that some of you asked this question after reading the teaser headline. While not the only treatise on military strategy, it does offer relevant insights that can be applied to our field. This is the first installment of a weekly series exploring the Sun Tzu paradigm. This week we will discuss the concepts of invincibility and vulnerability.
"Invincibility is in oneself, vulnerability is in the opponent" - Sun Tzu
Dictionary.com defines invincibility as being "incapable of being conquered, defeated, or subdued." In the context of The Art of War, this is accomplished through self-defense. Individual self-defense requires awareness of one's tactical and strategic strengths and vulnerabilities. Once this awareness is developed, one projects the image that reduces the risks created by potential opponents. While different in scope, this model is applicable to a corporation.
Dictionary.com defines vulnerability as being "capable of or susceptible to being wounded or hurt, as by a weapon." Interestingly, this is viewed as being a function of the opponent. This perspective seems inaccurate until you consider that vulnerabilities are discovered when a system is viewed from the perspective of an attacker. It is difficult to see the vulnerabilities in a process or system through the eyes of a user.
So how do I apply this to my environment?
In practice, it is unrealistic to build an invincible security plan for your organization. However, there are things that can increase the attack costs for potential attackers.
- Give your employees a stake in the business. On 3/15 I will post a discuss on business-case centered security awareness training. Your team must understand the value of security to the success of the business and know they are enabled to act to ensure that success.
- Understand the core competencies of the business and how your IT infrastructure supports them. This will allow you to connect securty investment to business goals. Learn to view security risk from a business risk perspective.
- View the organization from an attacker's perspective. Now that you understand the value of your assets, put yourself in the shoes of someone who wants to control or disrupt those assets. This will allow you to identify process and IT vulnerabilities that could be exploited.
- Finally, encourage a movement towards tactical and strategic agility. The threats that face your organization are evolving. These threats may take the form of physical, cyber, or competitive threats that don't currently exist. You must be ready to identify and prepare for those threats.
What are your thoughts on the implications of what Sun Tzu has to say?
Next week I will discuss how invincibility and vulnerability apply in the context of cyber warfare. According to Sun Tzu, victory can not be manufactured. It can only be discerned. Feel free to explore this statement between now and next week!
Works cited: "The Ilustrated Art of War" translated by Thomas Cleary
