Nation-states, cyber criminals, and cyber terrorists may have different objectives, but they now share their codes, techniques, and information to attack U.S. industries. Their collaborative efforts have the potential to undermine the backbone of our critical infrastructure and economy. With cyber threats rapidly increasing in number and complexity, leading executives face more pressure than ever to protect their corporate assets.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu
During graduate school at the United States Naval War College, I studied military philosophy, military strategists, and leadership on the battlefield. Today, as I look at the cyber landscape, I see many similarities between the decisions made on the battlefield and the decisions made in the C-Suite.
Similar to a commander in battle, the modern executive is asked to minimize risk, stay one step ahead of the adversary, and make crucial decisions—sometimes with limited insight. To make matters worse, an executive must also consider strategic business priorities, competitive pressures, and the rapidly changing technology landscape. It’s a daunting task, but one that becomes more manageable when executives start with the right questions. For example:
- How likely is my company to suffer a loss?
- How can different security options reduce my expected losses, and at what cost?
- How are known threats impacting my system?
- Where do my corporate assets actually reside, and how do they contribute to my overall risk profile?
- How can I strategically prioritize my resources (people, tools, processes) where they will have the most impact?
Unfortunately, many executives don’t ask these probing questions. Instead, they throw the kitchen sink at a threat they don’t fully know or understand. Will the attack come in the back, front, or side door? Or, does the threat reside within? Executives should pause, get back to some basics, and ask the right questions before committing precious resources. As the old saying goes, “don’t send a battalion to take a hill when a regiment will do the job.”
The great military theorist Sun Tzu once said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” However, “If you know yourself but not the enemy, for every victory you gained you will also suffer defeat.” And, finally, “If you know neither the enemy nor yourself, you will succumb in every battle.”
Applying this military philosophy in the cybersecurity domain and the boardroom is quite simple. Executives should identify their key vulnerabilities, their risk profile, and the latest information about external threats. Only then can they move forward with a strategy that informs decisions about financial planning, cyber defenses, risk mitigation, and business continuity.