The Art of War for CIO - 5 Key Artefacts of an effective Corporate Cyber Defense Doctrine

Our governments, enterprises and critical infrastructures are becoming increasingly dependent on IT in cyberspace. Refined, stealthy and persistent cyberattacks mainly focused on cyber resources and organizational infrastructures are increasingly urging the need for an efficient and effective Cyber Defense for our IT systems and for those who depend on them.

How to Capture, Create and Deliver Business Value with IT, in a Secure, Reliable, Cost Effective and Simple Manner?

The foremost reason that the current approaches are failing to help businesses improve their cybersecurity is that they fail to understand or address cybersecurity factors at macro, meso and micro level in cyberspace. Another important reason is that the most approaches neglect human factors in the security chain. The security chain is as strong as the weakest link in it and humans are the weakest link of an organizations security chain.

CIO’s Challenges and Sun Tzu’s Wisdom

Sun Tzu is said to have been a military genius who, after writing
The Art of War, secured an audience with the king of Wu and was subsequently made a military general. General Sun defeated the neighbouring Kingdom of Ch’u, invaded another kingdom, and intimidated two other nearby rivals, thus securing Wu’s Diplomatic, Intelligence, Military, Political and Economic interests in the region.

Sun Tzu noted that military commanders who knew both themselves and their adversaries would not be imperilled in one hundred battles, but that those who knew only themselves or knew only their enemies would prevail only half of the time. Even worse, Sun Tzu predicted that those leaders who knew neither themselves nor their opponents would be in danger during every battle.

Today’s CIOs face a similar situation. They are mandated with efficiently securing the organization’s political and economic interests with IT while effectively protecting their organizations against cyber threats.

Unfortunately, the conventional business, information security and static risk management practices are no longer appropriate in a rapidly changing world in which system interoperability and information density accompany greatest challenges. Therefore, the major challenge of today’s average CIO is: How to Capture, Create and Deliver Business Value with IT, in a Secure, Reliable, Cost Effective and Simple Manner?

One cannot hope to direct an army or business without a comprehensive identification and understanding of one’s opponents. The array of adversaries that stands between a CIO and his or her cybersecurity objectives can be quite diverse.

Today’s CIOs faces a universe of cyber risks and vulnerabilities in their organizations. The incidents of the last few years have clearly shown how cybercriminals can inflict destruction on our IT infrastructures and threaten our wellbeing.

Foreknowledge of cybercriminals' intentions and capabilities is significant and can enable the CIO to adapt to an ever-changing “battlefield.” Moreover, to efficiently cope with those cyber risks and vulnerabilities, it is indispensable to have deep knowledge and understanding of the internal and external context of your organization. The CIO’s adversaries may be generally divided into two broad groups: external cyber risks and internal cyber risks.

The foundation of every cybersecurity program is the accurate and serene assessment of the organizational purpose, key assets, associated risks, vulnerabilities, and potential impacts to the assets being protected.
Sun Tzu’s “
The Art of War” recognized this some 2500 years ago when discussing how to assess whether or not one could prevail in battle.

Sun Tzu recommended that military generals assess the conditions to determine:

•     Which side can take better advantage of the “Terrain” or operational environment?
•     Who possesses the greater moral authority or “The Way”?
•     Which side can better take advantage of the “Weather” or external influence?
•     Which side has better leaders or managers as in “Leadership”?
•     Which side has a better system of rewarding “Discipline”?
In order to Capture, Create and Deliver Business Value with IT, in a Secure, Reliable, Cost Effective and Simple Manner, the CIO must know both themselves, their organizations and their adversaries. Moreover, in order to enhance Cyber Defense capabilities of our organizations, we should be able to make proper sense of a certain crisis situations, proper communication of its context, duration, impact and taken counter measures.
Moreover, as CIO’s, too, must make cyber risk assessments.

These cyber risk assessments most often include applicable risks, vulnerabilities, and the potential impacts of specified threats to a given business function, facility, key asset or process. We can apply Sun Tzu’s five assessment criteria to the world of the cybersecurity by using the 5 key artefacts: Context (Terrain), Stakeholders (The Way), Intelligence (Leadership) Scenarios (The Weather), and Best Practices (Discipline).

Artefact 1: Context “Terrain”

Sun Tzu noted that military commanders should assess terrain in terms of ease or difficulty of travel (Cleary). Terrain, in this context, refers to the field of battle or conflict. CIOs can use the term
terrain as follows:

•     Operational environment
•     Organizational risk tolerance
•     Historical and cultural factors
Operational Environment
Understanding the operational environment of a department or organization is critical to assessing the terrain. The operational environment can include the structure and mission of the organization. The available resources (key assets), internal political clout, policies, procedures, and a host of other factors that will influence how things get accomplished.

Organisational Risk Tolerance

Some element of risk is inherent in both life and business. Knowing an organization's or department’s level of tolerance to identified risks is important to assessing the terrain.

Historical and Cultural Factors

The historical and cultural background of a department or organization is of critical importance to the assessment of terrain. Just as people’s behaviour is significantly influenced by personal background and culture, so, too, is the behaviour of organizations.

In summary, defining a playfield is the basic imperative of creating a comprehensive understanding of the context of a certain situation. It also helps timely recognizing cyber risks and vulnerabilities that could become a threat. Moreover, how earlier a threat is recognized thus the higher the likelihoods that escalations could be averted. Furthermore, we also need to comprehend the theory behind the methods and tools used by cybercriminals. Through understanding the theory, we can revise our Tactics, Techniques and Procedures to effectively defend our organizations against those cybercriminals.

Artefact 2: Stakeholders (The Way)

The Way indicates the overall character, sense of mission, or urgency with which an organization inculcates its employees. When senior management provides the employees with a sense of grand organizational objectives, employees are more likely to feel they are part of something bigger than themselves and thus will go the extra mile to accomplish the mission with a sense of urgency.

To identify strategic key stakeholder and intelligence sources for making key decisions, it is compulsory to first practice, process, reflect and verify gathered cyber threat information. It is also very important to imbed a structure that enables the contributions to the sufficient awareness of the Cyber Defense team. Moreover, by identifying the key stakeholders, we can timely make critical decisions and can decide accurately which stakeholders should be informed and or engaged in case of a cyberattack and its severity.

Artefact 3: Scenarios (Weather)

In the context of Sun Tzu’s
Art of War, weather literally meant weather or seasons. In our context as CIOs, the term weather refers to external conditions or scenarios that influence the behaviour of our own group and/or that of our adversaries. It is important to remember that often these conditions, by themselves, affect both sides in a conflict equally. When assessing “weather” conditions, the CIOs observations are based on the context of the particular situation. Some external factors that could impact the mission may include:

·     Market conditions
·     Regulatory climate
·     Public relations issues
·     External political, religious, and other controversial issues important related to the context of your organization

The context is relentlessly shifting and new threats and vulnerability arise each day. Scenarios can help us prepare a hypothesis and we then can decide on the appropriate course of action to continue based on the overall

Cyber Defense outline of the company. The practice of Cyber Defense is a continuing iterative procedure that must be repeated periodically. The decision outcomes will most properly fall into one of the next four risk classes:

•     Risk Assumption - accept risk, continue operating
•     Risk Avoidance - avoid the risk by eliminating the risk cause and/or consequence
•     Risk Limitation - limit the risk by assigning controls that minimize the impact
•     Risk Transference - transfer the risk by using other options to compensate for the loss

Artefact 4: Intelligence (Leadership)
Leadership in Sun Tzu’s time and leadership today are not all that different. Whilst it is true that the stakes of leading soldiers into battle are significantly higher than leading a business, the concepts of leadership are remarkably similar. Sun Tzu indicated that successful leaders must be intelligent, courageous, trustworthy and humane (Cleary). The same is true today. Generally, employees do what is expected of and modelled for them. A leader who consistently demonstrates the above referenced qualities will attract the respect of his or her employees, while still keeping the mission focused.

Artefact 5: Best Practices (Discipline)

Sun Tzu noted that the army with the most consistent and understandable system of rewards and punishments was in a better position than the army that was inconsistent or arbitrary in dealing with discipline issues (Cleary). CIOs are reccomended to ask themselves the following questions:

  • Does our organization clearly define and consistently enforce and evaluate policies, procedures and best practices?
  • Does our organization reward people for going above and beyond their normal duties?
  • Do our employees not know what to expect from day to day?

To enhance the organizational learning capability and effective knowledge sharing to improve Cyber Defense, it is essential to frame the incidents associated to a crisis situation into a cohesive root-cause analysis and:

  • Create a well-defined depiction of the crisis situation
  • Organize stakeholders and mobilize a group of specialists who can draw independent conclusions
  • Convey out the learned lessons to key stakeholders to build an informed and cyber resilience organization by adopting and evaluating best practices

Main Takeaways

  1. Define your company's attractiveness to adversaries in cyberspace and identify outside-in cyber threat intelligence
  2. Identify key stakeholders and assets and analyse intelligence sources to produce a reliable and dynamic perception of the uncertainty for successfully practicing scenarios
  3. Identify threat vectors in cyberspace, characteristics of threats and activity per threat type
  4. Determine breach probability rates per threat and type of cyber-attacks and expected loss given successful attack
  5. Build TTP’s based on business impact, risk appetite and resilience per attack type

We help your organisation with
Capturing, Creating and Delivering Business Value with IT, in a Secure, Reliable, Cost Effective and Simple Manner... 

Are you looking for a trusted advisor to help you significantly improve your Cyber Defense? ECRRN helps your organisation develop efficient and effective Cyber Defense Programs. We help you deliver business value and guard your People and Critical Assets. We ensure you quantify and communicate this value to your stakeholders.
Contact us today!

Who we are?
 European Cyber Resilience Research Network (ECRRN) is your trusted partner in protecting and strengthening the “Human Network” of your organisation against Cyber Threats.

What we do? 
We help enterprises with Capturing, Creating and Delivering Business Value with IT, in a Secure, Reliable, Cost Effective and Simple Manner.

How we do it? 
ECRRN provides the following services in order to help your organisation with Defining, Measuring and Improving the efficiency and effectiveness of its Cyber Security Strategy. 

Cyber Resilience 360: A 360 cyber vulnerability assessment of your organization, which can help you to effectively define, measure and improve Cyber Resilience Capability of your Organization

Cyber Risk Advisory: Independent Cyber Risk and Resilience Research Services for CxO’s and Board of Directors to help them gain in depth insights into the Cyber Health of their organization

Tailored SETA: Security Education Training and Awareness Programs
For more information please visit our websites: