The Art of InfoSec – Chapter 10

Chapter ten, The Terrain, provides a wealth of rules regarding technical situations within the physical medium of war. As these are less then pertinent, they will be omitted. Instead, the focus will be on the conclusions drawn from the correct responses, in terms of a commander. Sunzi says:

Strategic positioning (hsing) is an ally in battle. To assess the enemy’s situation and create conditions that lead to victory, to analyze natural hazards and proximate distances – this is the way (tao) of the superior commander. He who fights with full knowledge of these factors is certain to win; he who fights without it is certain to lose.[1]

Sunzi again stresses that knowledge is the key to victory, and the way we have knowledge is by committing resources to information-gathering. However, the mere presence of information is not enough. The commander is supposed to “create conditions that lead to victory” by assessing that information properly – i.e. through a meaningful understanding of how to interpret the data, and how to weed out the pertinent from useless; or perhaps more importantly, to separate out what is meaningful in the moment, and what will be useful later on.

Sunzi concludes:

Thus when one who understands war moves, he does not go the wrong way, and when he takes action, he does not reach a dead end.

Hence it is said:

Know the other, know yourself,
And the victory will not be at risk;
Know the ground, know the natural conditions,
And the victory can be total.[2]

The question of “movement” is a matter of dedicating resources to action – and all organizational movement is an expenditure of resources. Going the wrong way is not merely a waste of resources, it is an investment against a phantom threat, while leaving yourself exposed to the actual dangers and risks. To act without wasted movement is not merely economical, it is existentially crucial.

The Equifax InfoSec team was paid, they did work, resources were invested and spent, man-hours and lives were spent in some kind of work. However, all that work, or the majority thereof, went the wrong way – leaving the organization open to one of the most massive hacks in recent history. The cost of this movement the wrong way has been astronomical.

The lines at the end echo those at the end of chapter 3:

He who knows he enemy and himself
Will never in a hundred battles be at risk;
He who does not know the enemy but knows himself
Will sometimes win and sometimes lose;
He who knows neither the enemy nor himself
Will be at risk in every battle.[3]

Knowing the “other” is a matter of information-gathering, and deep analysis. Knowing yourself is a matter of meaningfully taking stock of one’s own resources, recognizing strengths and weaknesses, and instituting strict order. To know both, is to be able to anticipate the enemy, and to properly position yourself in response.

To know the ground is to understand the medium in which your own and enemy forces operate, fully. This is a matter of in-field expertise. To know the natural conditions is to be informed about the constantly changing conditions that affect the movement of all forces. This is a matter of information and deep analysis. To know both is to anticipate the direction of the attack, to determine the way in which the forces will meet one another, to understand the risks in play, against the backdrop of an ever-changing context.


[1] Sunzi. Pg. 109

[2] Sunzi. Pg. 110.

[3] Sunzi. Pg. 80-1.