The Art of InfoSec – Chapter 1

As we move through the Sunzi (Sun Tzu), the goal is to find the aspects of each chapter that most clearly map onto our InfoSec/CTI ideas, not to do an exhaustive analysis of every line or try to stretch the analogy. While we’re primarily focused on the InfoSec/CTI aspects, it should be noted that the same analysis yields results for either hacking or pen-testing. That is, a proper assessment of the ideas requires us to think on the offensive and defensive.

The first Chapter of the Sunzi deals with the basic idea of understanding the role of war and assessing military engagement.

Sunzi begins:

War is a vital matter of the state. It is the field on which life or death is determined and the road that leads to either survival or ruin, and must be examined with greatest care.[1]

As to the vital nature of security, that seems to be a foregone conclusion in the InfoSec field. While the economic costs of hacks are still fairly uncertain, companies incur the costs of the post-mortem analyses and reconstruction, followed by largely self-inflicted costs – depending on the nature of the business. For some companies, however, the hack may be the end, either by loss of public confidence or loss of contracts, or both. One would expect that companies like OneLogin will have a difficult – if not impossible – time recovering from the hack, given the nature of the services they provide.


Therefore, to gauge the outcome of war we must appraise the situation on the basis of the following five criteria, and compare the two sides by assessing their relative strengths. The first is the way (tao), the second is climate, the third is terrain, the fourth is command, and the fifth is regulation.

The way (tao) is what brings the thinking of people in line with their superiors.[2]

There are two ways to understand this notion within InfoSec: 1) bringing the thinking of the organization in line with the security aspects of the organization; and 2) bringing the thinking of the security aspects in line with the functional realities of the organization. While these two positions may seem to be at odds, another way of understanding this requirement is in terms of making sure the organization is working as a unified whole, headed in the same direction, and not working at cross purposes. Thus, the security element will do the most with what it has, and the organization will fall in line with the security assessments and requirements; for example, not introducing rogue devices onto the company network, or not entrusting their login information to third-party vendors.

We can also consider “bringing of thinking in line” as a way of effectively governing/running the organization, so that the focus that goes into maintaining security does not diminish over time. On the flip side, for hackers, wearing down defenses is a great avenue of attack – making you open that email or attachment by making you lose focus on security.


Climate is light and shadow, heat and cold, and the rotation of the seasons.

Terrain refers to the fall of the land, proximate distances, difficulty of passage, the degree of openness, and the viability of the land for deploying troops.[3]

To keep from stretching the analogy, we will combine these two criteria into a single point. The climate and terrain map pretty well onto holistic understanding of the security environment, including elements like network topography, OS use, firewalls, proxy servers, physical access security, etc. Without a clear understanding of what vulnerabilities lurk in our security, we cannot adequately account for them. Note that this means that outsourcing security makes us ignorant of a crucial part of Sunzi’s assessment: we do not know the climate and terrain of our own security because it is not, in fact, our own.


Command is a matter of wisdom, integrity, humanity, courage, and discipline.[4]

From this point forth, “command” and “commander” refer strictly to the InfoSec element of the organization, and particularly to the heads of those departments. This part of the assessment deals with the question of qualification of the department head – i.e. how good is your general? While the specifics of the qualities listed above will be clarified and demonstrated in later chapters, we can already glimpse some of their meaning. For example, the question of humanity refers to the treatment of subordinates, which ends up translating into the kind of practices that enable the hiring and development of the best available talent, or ending up with another run-of-the-mill InfoSec department – where the only thing between you and a hack, is the interest of the hackers.


And regulation entails the organizational effectiveness, a chain of command, and a structure for logistical support.[5]

The last criteria seems to map directly onto the InfoSec environment. However, there is more here than meets the eye. Organizational effectiveness and logistical support are also an aspect of the tao, as is the chain of command – which is also an aspect of command. Additionally, logistical support has two separate elements that are at play, which will become more apparent in later chapters,[6] but which we can generally divide into internal and external categories – i.e. organizational structure and CTI.

Without some form of CTI, the organization and the commanders are left in the dark about the threats and nature of threats they face. Unless there exists a solid structure of CTI logistical support, the commanders will be unable to fully realize their skills and act to respond to the issue – rather than reacting to it after the hack.


All commanders are familiar with these five criteria, yet it is he who masters them who takes the victory, while he who does not will not prevail.[7]

If you’ve been feeling like this portion has not introduced you to anything you do not already know, Sunzi agrees! The criteria are not some magical new approach; they are the core that all people in the field know (or should know). He introduces it anyway, but lays the stress not on knowing the criteria, but on their mastery. That is to say, knowing is different than being. Many students know what to do to get the most out of a course and master the subject, but only the exceptional few embody that knowledge and become the kind of people that actually master the subject – and they’re the ones who end up on top.

The path to mastery is the subject of the rest of the book, as Sunzi presents us with the actions and thought processes of an ideal commander.



[1] Sun Tzu “The Art of Warfare.” Tr. Roger T. Ames. In The Book of War. Ed. Caleb Carr. New York: The Modern Library, 2000. Pg. 73.

[2] Ibid.

[3] Ibid.

[4] Ibid.

[5] Ibid.

[6] Specifically Chapter 13: Using Spies, but also as an implication of proper command throughout the text, in reference to Zhi and Shi.

[7] Sun Tzu. “The Art of War.” Pg. 73.