The Art of InfoSec – Chapter 9

Chapter 9 (Deploying the Army) is a rather long one, and includes a poem regarding the dispositions of enemy commanders and such. While it is an interesting read in its own right, it is not particularly suitable for Information security considerations. However, the closing paragraph has three absolutely critical points.

In war it is not numbers that give the advantage. If you do not advance recklessly, and are able to consolidate your own strength, get a clear picture of the enemy’s situation, and secure the full support of your men, it is enough. It is only the one who has no plan and takes his enemy lightly who is certain to be captured by him.[1]

The asymmetry of the InfoSec field should be clear to everyone. A 14-year-old in Ukraine with a bit of free time can wreak havoc on major industries. Get a bit more creative, and you get phone calls from the “IRS,” “Windows,” or spear-phishing attacks that reveal election-losing dirt on US presidential candidates. The effort is minimal, the cost for attackers is negligible, the results can be devastating. Conclusion: the numbers (of hackers, security personnel, or security spending) are not the relevant factors. The relevant factor is knowledge.

That it is “enough” to hold your ground, to consolidate your strength (control the security), and to have a clear sight of the enemy plan, means that going on an offensive is not a necessary feature of this model of warfare. Victory conditions are simply “not losing” – i.e. living to play the game another day. Victory conditions can’t be coherently defined as “winning” by defeating one’s opponents – because the opponents are innumerable. Yet, failing to take this game as deadly serious, every single day, inevitably results in defeat.

Yet, producing the kinds of information security personnel, and the general corporate mindset that does not let down their guard, is a difficult task on its own. Sunzi notes:

If you punish troops who are not yet devoted to you, they will not obey, and if they do not obey, they are difficult to use. But once you have their devotion, if discipline is not enforced, you cannot use them either. Therefore, bring them together by treating them humanely and keep them in line with strict military discipline. This will assure their allegiance.[2]

If the employees do not comprehend the idea of security properly, all the meaningful security measures will be resented, and the employees will do such unintelligent things as using the same password across various platforms, or other appalling practices. Their lack of obedience makes them difficult to use. But if the discipline becomes lax because it is not strictly enforced from on high, the same problem returns. Humane treatment is, in effect, treating one’s employees as contributors to security, and thus educating them; not merely issuing commands as one might to an animal. The enforcement of discipline, in this context, is a reinforcement of the humane treatment.

If commands are consistently enforced in the training of the men, they will obey; if commands are not enforced in their training, they will not obey. The consistent enforcement of commands promotes a complementary relationship between the commander and his men.[3]

The third major point of this closing paragraph is a subtle one. Obviously, training, enforcement, and reinforcement are positives, but that part had already been stated. The other, much more crucial point, is the complementary relationship between the commander and the rest of the military/organization. Establishing a close relation between the security and the rest of the company is critical in the general enforcement of security operations, but also allowing the company to properly adapt to the changing circumstances and context of operations.

By necessity, companies update or change out their software and systems use. Every time there is any kind of adjustment, it places a burden on the average employee to adapt to the new system, in order to keep functioning. Every single time, this requires conscious effort to re-acclimate to a new system – a process that just about inevitably brings with it the potential for using shortcuts that damage security. If the employees are engaged in a complementary relationship with the security, if they have been treated humanely and have had the orders enforced in training, they become far more likely to follow proper procedure, and thus less likely to create an exploit that can be used to attack the system. If John Podesta had a better relation with the InfoSec team for the Hillary campaign, there is a serious chance his emails would have remained private.

Finally, by establishing and maintaining the right relation, the commander (InfoSec team-lead) becomes a source of order amidst any troubles. He becomes the source everyone turns to for guidance, in case of emergency. This role keeps a problem from spiraling into unbridled chaos, causing further harm.


[1] Sunzi. Pg. 105.

[2] Ibid.

[3] Ibid.