The Art of InfoSec – Chapter 5

Chapter 5 of the Sunzi focuses on leveraging knowledge. The recurring theme is the use of logistics (information) to leverage a strategic advantage (shih), which should be translated into actionable strategic positioning (hsing) – a topic of later chapters.

In general, it is organization that makes managing many soldiers the same as managing a few. It is communication with flags and pennants that makes fighting with many soldiers the same as fighting with a few. It is “surprise” and “straightforward” operations that enable one’s army to withstand the full assault of the enemy force and remain undefeated. It is the distinction between “weak points” and “strong points” that makes one’s army falling upon the enemy a whetstone being hurled at eggs.[1]

The question of logistics is considered first, or rather, the question of organization and management. Communication is key to realizing and maintaining focus, and the idea of flags presents a decent analogy with the communications in battle; namely, communication must be visible and clear despite the chaos of battle, and every soldier must know exactly where to look to for direction. On the other hand, the source of communication is the commander, who must have the organizational skills to hold that position. The organizational skills, according to Sunzi, include understanding and mastery of knowledge and subsequent leveraging of that knowledge into impenetrable defense and unerring attack. Again, the Sunzi comes around to the issue of knowledge-based leadership.

The InfoSec component should be clear: the efficacy of the InfoSec team, and security in general, is entirely dependent on the team lead – more specifically on their organization and management, and the ability to leverage information into strategic advantage and positioning. The source of the information has been partially addressed before, and is a combination of internal factors (knowledge of self) and external factors (CTI). This idea should be familiar from the preceding chapters.

There are no more than five cardinal notes, yet in combination, they produce more sounds than could possibly be heard; there are no more than five cardinal colors, yet in combination, they produce more shades and hues than could possibly be seen; there are no more than five cardinal tastes, yet in combination, they produce more flavors than could possibly be tasted. For gaining strategic advantage (shih) in battle, there are no more than “surprise” and “straightforward” operations, yet in combination, they produce inexhaustible possibilities. “Surprise” and “straightforward” operations give rise to each other endlessly just as a ring is without a beginning or end. And who can exhaust their possibilities?[2]

As a starting position for leveraging information, Sunzi stresses the simplicity in the overall organizational scheme. All information leverages out to “surprise” or “straightforward” operations; there’s no need to reinvent the wheel or overcomplicate the efforts. Instead, it’s all about mastering the basics. One must know organizations, systems, and capacities. One must know one’s weaknesses – old and new. One must master and adapt their functional procedures. One must reiterate one’s mastery over these elements, and do so continually and in perpetuity.

New gadgets, technology, buzzwords, etc. should not be the functional focus of information security. The basics, understood properly, are the foundation of all effective security, mastering them takes time, effort, and continuous practice. Again, it is not an end product, but a process – without end.

That the velocity of cascading water can send boulders bobbing about is due to its strategic advantage (shih). That a bird of prey when it strikes can smash its victim to pieces is due to its timing. So it is with the expert at battle that his strategic advantage (shih) is channeled and his timing is precise. His strategic advantage (shih) is like a drawn crossbow and his timing is like releasing the trigger. Even amidst the tumult and the clamor of battle, in all its confusion, he cannot be confused. Even amidst the melee and the brawl of the battle, with positions shifting every which way, he cannot be defeated.[3]

The idea of strategic advantage (shih) has the connotation of a physical position as a fluid disposition, responsive to context, but dependent on intangibles, such as morale, opportunity, timing, psychology, and logistics.[4] Shih is, in every functional way, the literal notion of leverage; of directing and applying effort in such a way as to dislodge an object, otherwise too insistent for main strength. It is a way of amplifying strength, of using the latent potential in the object itself – the natural potential accessible only with the correct information about the object, and only with the right knowledge to actualize it.

Contextually situational positioning provides the strategic advantage, but that positioning must be coupled with proper timing. Just as a bird of prey has to be accurate in its dive (or else miss the target entirely), so too the actualization of the advantage must be timed. Knowledge of a vulnerability gives an offensive and an offensive strategic advantage. However, the offensive advantage is gone if the vulnerability is made public. Defensive advantage is gone if the patch is goes live after the breach. But timing is incoherent without the advantage (what action would one time, in that case?), and the advantage depends on information and knowledge. Again, Sun Tzu reveals the next step of strategic development, while circling back to reiterate the preceding points.

The key issue to note is that shih, once attained, does the work for you. The loading of the crossbow converts the latent potential of the crossbow into a strategic advantage potential – allowing the shooter to release the bolt with far more power than the effort to load it. The preparatory nature of the loading is what gives rise to the strategic potential – else a crossbow would be no different than a spear. With all the work done in advance, one has only to pick their time to unleash the stored potential, and allow the strategic advantage to do the work for them.

The expert at battle seeks his victory from strategic advantage (shih) and does not demand it from his men. He is thus able to select the right men and exploit the strategic advantage. He who exploits the strategic advantage sends his men into battle like rolling logs and boulders. It is the nature of boulders and logs that on flat ground, they are stationary, but on steep ground, they roll; the square in shape tends to stop but the round tends to roll. Thus, that that strategic advantage of the expert commander in exploiting his men in battle can be likened to rolling round boulders down a steep ravine thousands of feet high says something about his strategic advantage.[5]

In this passage, Sunzi clarifies the notion from chapter four, regarding unerring victories, by tethering them to strategic advantage. Strategic advantage is a matter of leveraging information through proper knowledge; a feat which uses the already present properties of objects (internal and external), and creates a beneficial position with respect to the opponent.

All this seems a bit too easy, especially in regards to InfoSec. However, it bears repeating that Sunzi is here focused on the basics, and reiteration of earlier lessons. The key takeaway of chapter five is that proper information, along with the proper knowledge, must be leveraged into a strategic advantage. This advantage does not force the issue. Instead, it uses the elements already present within one’s forces and without, to create a situation that can be used to one’s advantage, and whose natural outcome is the source of victory.

Similarly, security cannot be forced, it must be cultivated. Security is attained and maintained by shih, not by brute force. Hence, one should leverage their resources fully to attain shih: best personnel, best tools, best intelligence, etc. allowing for the creation of the advantage. This is made possible not by money, but by full use of all resources at one’s disposal. Simply throwing money at the problem does not solve it. The resources do, however, create space and incentive to cultivate the advantage, as well as deferment to expertise on how best to use it.

Here lies an important point, that is often overlooked. It is not enough to simply buy the tools, hire the personnel, or collect the information. Unless the strategic goal of cultivating shih is the explicit aim of the InfoSec team lead, and they can effectively organize and manage the team to focus all their efforts on this aim, and their advice is heeded, all the money in the world is insufficient to provide even a modicum of security.



[1] Sun Tzu. Pg. 85.

[2] Ibid.

[3] Ibid. Pg. 87.

[4] Ames, Roger T. Preface to Sun Tzu the Art of War. Pg. 57.

[5] Sun Tzu. Pg. 87.