“If you know the enemy and know yourself, you need not fear the result of a hundred battles.” – Sun Tzu
During graduate school at the United States Naval War College, I studied military philosophy, military strategists, and leadership on the battlefield. Today, as I look at the cyber landscape, I see many similarities between the decisions made on the battlefield and the decisions made in the C-Suite.
Similar to a commander in battle, the modern executive is asked to minimize risk, stay one step ahead of the adversary, and make crucial decisions—sometimes with limited insight. To make matters worse, an executive must also consider strategic business priorities, competitive pressures, and the rapidly changing technology landscape. It’s a daunting task, but one that becomes more manageable when executives start with the right questions. For example:
Unfortunately, many executives don’t ask these probing questions. Instead, they throw the kitchen sink at a threat they don’t fully know or understand. Will the attack come in the back, front, or side door? Or, does the threat reside within? Executives should pause, get back to some basics, and ask the right questions before committing precious resources. As the old saying goes, “don’t send a battalion to take a hill when a regiment will do the job.”
The great military theorist Sun Tzu once said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” However, “If you know yourself but not the enemy, for every victory you gained you will also suffer defeat.” And, finally, “If you know neither the enemy nor yourself, you will succumb in every battle.”
Applying this military philosophy in the cybersecurity domain and the boardroom is quite simple. Executives should identify their key vulnerabilities, their risk profile, and the latest information about external threats. Only then can they move forward with a strategy that informs decisions about financial planning, cyber defenses, risk mitigation, and business continuity.