What does Sun Tzu have to do with Information Security?I expect that some of you asked this question after reading the teaser headline. While not the only treatise on military strategy, it does offer relevant insights that can be applied to our field. This is the first installment of a weekly series exploring the Sun Tzu paradigm. This week we will discuss the concepts of invincibility and vulnerability.“Invincibility is in oneself, vulnerability is in the opponent” – Sun TzuDictionary.com defines invincibility as being “incapable of being conquered, defeated, or subdued.” In the context of The Art of War, this is accomplished through self-defense. Individual self-defense requires awareness of one’s tactical and strategic strengths and vulnerabilities. Once this awareness is developed, one projects the image that reduces the risks created by potential opponents. While different in scope, this model is applicable to a corporation. Dictionary.com defines vulnerability as being “capable of or susceptible to being wounded or hurt, as by a weapon.” Interestingly, this is viewed as being a function of the opponent. This perspective seems inaccurate until you consider that vulnerabilities are discovered when a system is viewed from the perspective of an attacker. It is difficult to see the vulnerabilities in a process or system through the eyes of a user.So how do I apply this to my environment? In practice, it is unrealistic to build an invincible security plan for your organization. However, there are things that can increase the attack costs for potential attackers. Give your employees a stake in the business. On 3/15 I will post a discuss on business-case centered security awareness training. Your team must understand the value of security to the success of the business and know they are enabled to act to ensure that success. Understand the core competencies of the business and how your IT infrastructure supports them. This will allow you to connect securty investment to business goals. Learn to view security risk from a business risk perspective. View the organization from an attacker’s perspective. Now that you understand the value of your assets, put yourself in the shoes of someone who wants to control or disrupt those assets. This will allow you to identify process and IT vulnerabilities that could be exploited. Finally, encourage a movement towards tactical and strategic agility. The threats that face your organization are evolving. These threats may take the form of physical, cyber, or competitive threats that don’t currently exist. You must be ready to identify and prepare for those threats. What are your thoughts on the implications of what Sun Tzu has to say? Next week I will discuss how invincibility and vulnerability apply in the context of cyber warfare. According to Sun Tzu, victory can not be manufactured. It can only be discerned. Feel free to explore this statement between now and next week!Works cited: “The Ilustrated Art of War” translated by Thomas Cleary Related content opinion Positioning the Security Team Through Influence Part 1 Influence styles are a reflection of the influencers and, by extension, their team. Thus, they must understand the situations to which different styles are applicable. This series explores the common influence styles and their application. By Steven Fox Apr 21, 2012 3 mins Technology Industry IT Jobs opinion From Obstacle to Ally - Repositioning the Security Team Pt 1 By Steven Fox Apr 08, 2012 3 mins Technology Industry IT Strategy opinion Key Sessions at CISO Executive Summit 2011 By Steven Fox Dec 03, 2011 3 mins Business Continuity Data and Information Security Careers opinion Securing User Credentials On Mobile Devices By Steven Fox Nov 15, 2011 4 mins Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe