Informations

Copyright © 2022 Les Editions de l'Aspic.

All rights reserved. No part of this work may be reproduced or transmitted in any
form or by any means, electronic or mechanical, including photocopying, recording,
or by any information storage or retrieval system, without prior written permission of
the copyright owner.

Author: Alexandre Lienard

The information contained in this essay is distributed "as is", without warranty.
Although every precaution has been taken in the preparation of this work, neither the
author nor the proofreader nor the publisher shall be liable to any person or entity
for any loss or damage caused or alleged to be caused directly or indirectly through
the information it contains.

Contact with author : alex@skuld-intelligence.com

Foremore

A growing interest
Many managers and professionals from all sectors of activity indicate that if they had to have a bedside book
on strategy, it would be Sun Tzu's The Art of War. But when we look closely at the aficionados of this ancient
work, we quickly notice that (only) few of them have read the original version entirely and, worse, that what they
have retained from it is often nonsense.
Much has been written about this book. There are versions available for almost every profession. From finance
to sales, through human resources management and even a special "feminist" version, yes, there is.
However, this version here is a first of its kind. It is an interpretation specially designed for Information
Security professionals or for students in search of martial and digital wisdom.
This book is intended to be minimalist, accurate and useful. Therefore, the most applicable maxims and advice
to the world of digital security have been selected for you and interpreted in the form of comments. That will be the
first part of the book. In the second part, you will find some thoughts, reminders and perhaps some ideas to
stimulate your discussions with your colleagues, teams and management.

Enjoy your reading.

 戰爭的藝術

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every battle.
 CHAPTER 1

LAYING PLANS

Stratagem #1
Sun Tzu said:
The art of war is of vital importance to the State.
It is a matter of life and death, a road either to safety or to ruin. Hence it is a subject of inquiry which can on no
account be neglected.
Comments:
The protection and defense of information systems are vital operations for companies and organizations,
especially since the Information System (IS) is nowadays an essential tool to support economic gains. No
organization is safe from digital attacks. Being able to resist these assaults is crucial for the prosperity and survival
of the organization. This matter should not be taken lightly. There is an art to digital warfare.
⁂
Stratagem #2
Sun Tzu said:
The art of war is of vital importance to the State.
It is a matter of life and death, a road either to safe- ty or to ruin. Hence it is a subject of inquiry which can on
no account be neglected.
The art of war, then, is governed by five constant factors, to be taken into account in one’s deliberations, when
seeking to determine the conditions obtaining in the field.
These are:
1. The Moral Law;
2. Heaven;
3. Earth;
4. The Commander;
5. Method and discipline.
The Moral Law causes the people to be in complete accord with their ruler, so that they will follow him
regardless of their lives, undismayed by any danger.
Heaven signifies night and day, cold and heat, times and seasons.
Earth comprises distances, great and small; danger and security; open ground and narrow passes; the chances
of life and death.
The Commander stands for the virtues of wisdom, sincerely, benevolence, courage and strict- ness.
By method and discipline are to be understood the marshaling of the army in its proper subdivisions, the
graduations of rank among the officers, the mainte- nance of roads by which supplies may reach the army, and the
control of military expenditure.
Comments:
The CISO represents both competence and authority in Information Systems Security. They advise, control and
are transparent while using some secret skills. They inspire the security strategy, organize the tactics, delegate and
control the smooth running of operations.
Without an objective, without doctrine, without guidelines, without a passion for the subject, it is impossible to
establish and maintain an adequate level of protection. The key word is buy-in: from management, from staff and
from partners. The CISO is the guarantor of this state of affairs. Each level of power, each mission, each task must
be matched by a level of security and support proportional to the issues at stake.
Some things are imponderable, unavoidable. Sometimes the pace is set by events, by the logic of things or
simply by uncontrollable elements. The CISO who chooses to manage the things over which they have no control is
about to be defeated. On the other hand, their ability to anticipate the uncontrollable and to make exhaustive
hypotheses gives them control over the situations they have to deal with.
The lack of knowledge of the terrain, of the area to be protected, leads to its loss. Knowing the terrain, the
smallest corner of its information system, must be a primary concern for the CISO, both for the legacy they carry
and for the new projects they implement. The CISO must take great care to understand the business issues of the
organization they serve. They must also have an in-depth knowledge of their adversaries and enemies.
What is not visible is not hackable. The CISO must be a master in the art of fooling their enemies and
adversaries. Making their system look strong where it is weak and weak where it is strong must be part of their
defense strategy.
Without a method, without metrics, without control, without milestones, it is difficult to win. Adapting in full
knowledge of the situation, making an inventory of eventualities and considering the different scenarios allows one
to have both a transversal and horizontal view. Thoroughness allows one to embrace the situation as a whole.
Knowledge, especially in information warfare, gives you an advantage. The CISO who does not scrupulously
respect these five factors is about to perish. The one who measures, manipulates and builds on them will win. No
previous victory or defeat can predict the outcome of the next battle.
⁂
 CHAPTER 2

WAGING WAR

Stratagem #3
Sun Tzu said:
In the operations of war, where there are in the field a thousand swift chariots, as many heavy chariots, and a
hundred thousand mail-clad soldiers, with provisions enough to carry them a thousand li, the expenditure at home
and at the front, including entertainment of guests, small items such as glue and paint, and sums spent on chariots
and armor, will reach the total of a thousand ounces of silver per day. Such is the cost of raising an army of 100,000
men.
Comments:
Budget, budget, budget! There is a tendency to think of security as a cost center, when in fact it can be a profit
center. However, the budget should not only cover material investments. Quality human resources, operators paid at
the right level, lead to victory, without forgetting the investments related to training and crisis simulations.
⁂
Stratagem #4
Sun Tzu said:
Thus it may be known that the leader of armies is the arbiter of the people's fate, the man on whom it depends
whether the nation shall be in peace or in peril.
Comments:
You don't just appoint a CISO and you don't just appoint anyone to the position. The CISO holds the destiny of
the organization's Information System Security in their hands. Skimping on the skills or limiting the range of
responsibilities related to this role is sure to result in a poor commitment and de facto poor security management
later on. Top management must be attentive to this. The CISO must be aware of the resources available to them in
the present and in the future and worry about this before accepting the mission entrusted to them.
⁂
Stratagem #5
There is no instance of a country having benefited from prolonged warfare.
Comments:
Time is money. Conducting defensive operations that take too long is expensive and gives the adversary or
enemy a larger area to attack, more opportunities to defeat. In the long run, budgeting for defenses will always
prove less expensive than budgeting for crises. You must shorten the fight, even if it means giving up sometimes.
The key is to win, by whatever means. The CISO must embrace the entire landscape to be defended.
⁂
 CHAPTER 3

ATTACK BY STRATAGEM

Stratagem #6
Sun Tzu said:
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you will also suffer a defeat.
Comments:
Knowing the Information System they are protecting should be of the same priority as knowing their enemies
and adversaries. The CISO should ask the right questions. Who are they? What do they want? How do they
operate? Unlocking the secrets of the adversary's or enemy's strategy and mastering the strategy of the organization
they serve is what will lead the CISO to victory.
⁂
Stratagem #7
Sun Tzu said:
Thus the highest form of generalship is to balk the enemy's plans; the next best is to prevent the junction of the
enemy's forces; the next in order is to attack the enemy's army in the field; and the worst policy of all is to besiege
walled cities.
Comments:
The intelligent CISO thwarts the enemy's strategy, the adversary's plans, before the first assault occurs. The art
of digital warfare lies in overwhelming the enemy, the adversary, without a blow. If this is not possible, one must
then use the strategy of dodging. This strategy is inferior to the previous one and offers the opportunity to
camouflage oneself and not suffer any blow. Responding to an attack with an attack is the least effective of the
strategies, as it damages the morale of the resources and endangers the assets involved. One does not catch the
absence.
⁂
Stratagem #8
Sun Tzu said:
Therefore the skillful leader subdues the enemy’s troops without any fighting; he captures their cities without
laying siege to them; he overthrows their king- dom without lengthy operations in the field.
Comments:
The whole art of digital defense lies in subduing the enemy to invite them to not fight. To do this, all tricks are
good, such as polluting the information they might discover about the infrastructure they covet or misleading them
about the technologies used, even if it means cheating and lying.
⁂
Stratagem #9
Sun Tzu said:
But when the army is restless and distrustful, trouble is sure to come from the other feudal princes. This is
simply bringing anarchy into the army, and flinging victory away.
Comments:
The 7 traps to avoid in case of a crisis:
1. Impose crazy orders whispered in the ear of the management by pseudo-experts
2. Leave room for doubt in the chain of command
3. Mix business processes with crisis processes
4.Mixing the rigor of security policies with flexibility in times of crisis
5. Shifting responsibility to third parties
6.Confusing partners
7. Waiting for a decision before acting

⁂
 CHAPTER 4

TACTICAL DISPOSITIONS

Stratagem #10
Sun Tzu said:
To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is
provided by the enemy himself.
Comments:
The strategy of the enlightened CISO is to seek invincibility without ignoring the ability of their enemy to win.
They are aware that the nature of the attack, their enemy's preparation and their motivation will determine the
outcome of the battle. Defensive victory is based on the level of invincibility. Offensive victory depends on the
attacker's ability to overcome the defensive force. The defender depends on the actions of the attacker. In fact, the
defender is in a victim position while the assailant is in an attack position.
⁂
 CHAPTER 5

ENERGY

Stratagem #11
Sun Tzu said:
The control of a large force is the same principle as the control of a few men: it is merely a question of
dividing up their numbers.
Comments:
The smallest of infrastructures deserves the CISO's full attention. Information Systems Security is not about
size, it's about issues. Thus, managing the security of a small information system is not intrinsically different from
managing the information system of a large company. The key to success lies in the organization, not in the size.
The one who bases themselves on the stakes at play remains in control of the game.
⁂
Stratagem #12
Sun Tzu said:
To ensure that your whole host may withstand the brunt of the enemy's attack and remain unshaken this is
effected by maneuvers direct and indirect.
Comments:
The defensive nature of the CISO's mission leads them to focus on the use of indirect means during the
confrontations and assaults that the information system they are protecting is subjected to. By indirect means, we
mean above all the means that allow the enemy to be deceived, to be misled.
⁂
Stratagem #13
Sun Tzu said:
Thus one who is skillful at keeping the enemy on the move maintains deceitful appearances, according to
which the enemy will act. He sacrifices something, that the enemy may snatch at it.
Comments:
The wise CISO is able to make the most of the assets under their control. This is especially true for human
resources who will have to turn their weaknesses into strengths. Repelling digital assaults requires some dexterity in
this area.
⁂
Stratagem #14
Sun Tzu said:
The clever combatant looks to the effect of combined energy, and does not require too much from individuals.
Hence his ability to pick out the right men and utilize combined energy.
Comments:
What could be wiser than to be attacked at the place you have decided? The seasoned CISO is able to lead their
opponents down the paths they have previously marked out. The same goes for their enemies, they lead them to
attack their strongest points.
⁂
 CHAPTER 6

WEAK POINTS AND STRONG

Stratagem #15
Sun Tzu said:
Therefore the clever combatant imposes his will on the enemy, but does not allow the enemy’s will to be
imposed on him.
Comments:
Getting the enemy to strike where you want them to strike must be done with their cleverness in mind. Under
no circumstances should you insult them. The CISO takes care to make the task easy without showing too much
ingenuity. In this way, the enemy is defeated according to the CISO's will.
⁂
Stratagem #16
Sun Tzu said:
Appear at points which the enemy must hasten to defend; march swiftly to places where you are not expected.
Comments:
When retaliating, the CISO takes care to focus their attacks where the enemy is not only weakest but also
where they least expect it. When playing defense, the CISO takes care to defend their entire perimeter, even in
places where the enemy will not appear.
⁂
Stratagem #17
Sun Tzu said:
O divine art of subtlety and secrecy! Through you we learn to be invisible, through you inaudible; and hence
we can hold the enemy’s fate in our hands.
Comments:
The CISO is discreet. However, they possess good intelligence on both their enemies and their adversaries.
They gather information, analyze it and use it.
⁂
Stratagem #18
Sun Tzu said:
You may advance and be absolutely irresistible, if you make for the enemy’s weak points; you may retire and
be safe from pursuit if your movements are more rapid than those of the enemy.
Comments:
When the enemy attacks, you must have everything in place so that they get tired and scatter. Therefore, an
infrastructure composed of random decoys and obstacles allows the CISO to contain the attack while having the
possibility to retaliate or keep tracks and logs.
⁂
Stratagem #19
Sun Tzu said:
The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a
possible attack at several different points; and his forces being thus distributed in many directions, the numbers we
shall have to face at any given point will be proportionately few.
Comments:
It is not enough to know where the enemy will strike. The CISO is well versed in the art of warfare and has a
lot of information that allows them to know when the attack will occur. To do this, they follow the cycle of
intelligence gathering and make the right decisions.
⁂
 CHAPTER 7

MANEUVERING

Stratagem #20
Sun Tzu said:
After that, comes tactical maneuvering, than which there is nothing more difficult. The difficulty of tactical
maneuvering consists in turning the devious into the direct, and misfortune into gain.
Comments:
Reinforce weaknesses and mimic the weakness of strength. A CISO is constantly feigning weakness in the face
of his enemies. They appear sleepy when they are alert and appear alert when they are asleep. The same is true of
the resources the enemy covets. You have to confuse the enemy, trick them, numb them with false information, and
intrigue them with the truth.
⁂
Stratagem #21
Sun Tzu said:
Maneuvering with an army is advantageous; with an undisciplined multitude, most dangerous.
Comments:
Napoleon Bonaparte said that it was forgivable to be beaten, but not to be surprised. A talented CISO is able to
anticipate the unexpected. They are on the lookout, watching their enemies busy on other fronts and their opponents
asleep.
⁂
Stratagem #22
Sun Tzu said:
Let your rapidity be that of the wind, your compactness that of the forest.
In raiding and plundering be like fire, is immovability like a mountain.
Comments:
Whether in a global action or in a smaller action, the CISO only acts when they are certain they can gain an
advantage from what they are doing. Even when forced to, they will only engage in combat when they are certain of
total victory.
⁂
Stratagem #23
Sun Tzu said:
Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.
Comments:
Chance may intervene in the outcome of a fight, but it should not be the determining factor. In fact, the
seasoned CISO deals with chance, anticipating it without relying on it. Everything the CISO does must be planned
and everything that happens must be discussed and studied.
⁂
Stratagem #24
Sun Tzu said:
We shall be unable to turn natural advantage to account unless we make use of local guides.
Comments:
For the victory-hungry CISO, intelligence is one of the keys to success. Whether it is with their enemies or
with their adversaries, they have quality intelligence resources at their disposal, both human and open source. They
also put in place the means to collect technical intelligence. Their decisions are based on the analysis of this
information.
⁂
Stratagem #25
Sun Tzu said:
We are not fit to lead an army on the march unless we are familiar with the face of the country—its mountains
and forests, its pitfalls and precipices, its marshes and swamps.
Comments:
The CISO knows every corner of the perimeter they defend. When the borders move, when new strongholds
are created or when a new gateway is created, they are kept up to date by their local correspondents who inform
them from the very beginning of the projects. The CISO also keeps track of changes that affect the business of the
organization they serve. New partnerships, acquisitions or mergers in the pipeline, new markets, new opportunities -
in short, any significant change - must be brought to their attention.
⁂
Stratagem #26
Sun Tzu said:
Gongs and drums, banners and flags, are means whereby the ears and eyes of the host may be focused on one
particular point.
Comments:
Effective communication is one of the cornerstones of perimeter defense. Orders must be clear, precise and
given in a standardized manner. As the saying goes, "hard training, easy war. Nothing could be more true in the
field of information systems security. The CISO tests their communication during crisis exercises. It is the CISO
who defines the transmission of orders related to defensive operations.
⁂
Stratagem #27
Sun Tzu said:
Disciplined and calm, to await the appearance of disorder and hubbub amongst the enemy: this is the art of
retaining self-possession.
Comments:
Third-party personal initiatives are the CISO's enemy. Whether it is at the level of the executive management,
the technical teams or even worse the members of their own cell, the CISO makes sure that they are the only ones to
trigger defensive or even offensive actions. Taking egotistical third-party initiatives or these pseudo acts of bravery
only prove the weakness of the CISO.
⁂
 CHAPTER 8

VARIATION IN TACTICS

Stratagem #28
Sun Tzu said:
When in difficult country, do not encamp. In country where high roads intersect, join hands with your allies.
Do not linger in dangerously isolated positions. In hemmed-in situations, you must resort to stratagem. In desperate
position, you must fight.
Comments:
So-called siege attacks are formidable. When systems are crippled and no workarounds are in place, chaos
ensues. The savvy CISO plans for options that offer the ability to manage the crisis and continue to communicate.
They will always choose the most appropriate place to conduct counter operations.
⁂
Stratagem #29
Sun Tzu said:
The general who thoroughly understands the advantages that accompany variation of tactics knows how to
handle his troops.
Comments:
While the worst is never certain, the best isn't either. Beware of half victories, they can herald a second, not
necessarily consecutive, round. After the fight, vigilance is required. The SOC should remain on alert after the end
of the crisis until the signals are completely eliminated or until the threat is confirmed to be completely eradicated.
⁂
Stratagem #30
Sun Tzu said:
So, the student of war who is unversed in the art of war of varying his plans, even though he be acquainted
with the Five Advantages, will fail to make the best use of his men.
Comments:
Sometimes small efforts can close huge loopholes. Sometimes, small vulnerabilities can be exploited to cause
large losses. The seasoned CISO thinks in terms of frequency and impact, not forgetting in their calculations what
might seem trivial because put together, these small things could cause chaos.
⁂
Stratagem #31
Sun Tzu said:
There are five dangerous faults which may affect a general:
1.Recklessness, which leads to destruction;
2. cowardice, which leads to capture;
3. a hasty temper, which can be provoked by insults;
4. a delicacy of honor which is sensitive to shame;
5. over-solicitude for his men, which exposes him to worry and trouble.
Comments:
The CISO should beware of their own ego, that of their leaders and that of their colleagues. They should
always weigh the benefit-risk of everything they do and everything that will be done after their decisions.
⁂
 Stratagem #32
Sun Tzu said:
When an army is overthrown and its leader slain, the cause will surely be found among these five dangerous
faults. Let them be a subject of meditation.
Comments:
The CISO must have both the support and the confidence of their management. The CISO must be able to act
alone during times of assault and for most generic operations. This is why the CISO must be placed as close as
possible to top management.
⁂
Stratagem #33
Sun Tzu said:
The art of war teaches us to rely not on the likelihood of the enemy’s not coming, but on our own readiness to
receive him; not on the chance of his not attack- ing, but rather on the fact that we have made our position
unassailable.
Comments:
The CISO must embrace a profound and peripheral view of the system in which they evolve and above all not
limit themselves to a single snapshot. They must deal with changes, accompany them and, if they can, anticipate
them. Everything in their security management must take into account the changes, from the most trivial to those
that would have the greatest impact.
⁂
 CHAPTER 9

THE ARMY ON THE MARCH

Stratagem #34
Sun Tzu said:
When you come to a hill or a bank, occupy the sunny side, with the slope on your right rear. Thus you will at
once act for the benefit of your soldiers and utilize the natural advantages of the ground.
Comments:
Every information system has its strengths and weaknesses. The smart CISO learns to take advantage of its
vulnerabilities as well as its durability. They are always on the lookout and do not mistake a calm situation for one
of peace. On the contrary, they are always looking out for the situation, gathering information, keeping an eye on it
and taking the measure of the present time to better anticipate the future.
⁂
Stratagem #35
Sun Tzu said:
When the light chariots come out first and take up a position on the wings, it is a sign that the enemy is
forming for battle.
Comments:
Digital attackers are the same as any attacker, the impending assault is always preceded by signals. Silence can
be a signal, just like the sound of weapons. The CISO must have an intelligence network that allows them to pick
up these signals. By intelligence network, we mean OSINT, HUMINT, SOCMINT and SIGINT.
⁂
Stratagem #36
Sun Tzu said:
If a general shows confidence in his men but always insists on his orders being obeyed, the gain will be
mutual.
Comments:
The CISO's arsenal must include the ability to be feared and respected. An overly lax attitude will cause the
same results on the security level as a stubborn attitude. The lax CISO will be too permissive, while the narrow-
minded CISO will have the important things hidden from them. The CISO role has a strong authoritarian
component. If the CISO has an advisory role, then they are not a warlord, but an advisor who simply puts the dots
on the blackboard.
⁂
 CHAPTER 10

TERRAIN

Stratagem #37
Sun Tzu said:
With regard to ground of this nature, be before the enemy in occupying the raised and sunny spots, and
carefully guard your line of supplies. Then you will be able to fight with advantage.
Comments:
The CISO must know every corner of the information system they are protecting and defending. They know
the weaknesses and strengths of the system. The same goes for the organization they serve. The more the CISO is
able to appreciate the terrain, the greater their maturity and the more precise their reflexes.
⁂
Stratagem #38
Sun Tzu said:
Now an army is exposed to six several calamities, not arising from natural causes, but from faults for which the
general is responsible. These are:
1.Flight;
2. insubordination;
3. collapse;
4. ruin;
5. disorganization;
6. rout.
Comments:
The search for the easy way out and the lure of gain are two enemies of the CISO if they want to be the best.
They are wary of gifts and offerings. Faced with attempts at seduction and corruption of any kind, the CISO feigns.
When confronted with facilities granted without a second thought, the CISO detects manipulation and acts
accordingly.
⁂
Stratagem #39
Sun Tzu said:
Hence the saying: If you know the enemy and know yourself, your victory will not stand in doubt; if you know
Heaven and know Earth, you may make your victory complete.
Comments:
The race to the advantage is valid both in an offensive and defensive approach. The difference is that playing
defense usually offers the possibility to be prepared beforehand. The CISO, experienced in the art of war, knows
this, and has anticipated their enemy's search for the upper hand. Moreover, they have foreseen this and have put in
place the means to deceive them beforehand. One should have made an inventory of their strengths (as well as their
weaknesses) before the battle, and of those of their enemy too.
⁂
Stratagem #40
Sun Tzu said:
If, however, you are indulgent, but unable to make your authority felt; kind-hearted, but unable to enforce your
commands; and incapable, moreover, of quelling disorder: then your soldiers must be likened to spoilt children;
they are useless for any practical purpose.
 Comments:
Humility and self-reflection are two virtues that the CISO must cultivate. When they encounter a failure, they
must take responsibility and complain as little as possible. Aware of the mistakes made, they take responsibility for
their failure and draw the appropriate conclusions in good conscience. They do not stigmatize others, admit their
weaknesses and try to draw the appropriate conclusions.
⁂
 CHAPTER 11

THE NINE SITUATIONS

Stratagem #41
Sun Tzu said:
The art of war recognizes nine varieties of ground:
1. Dispersive ground;
2. facile ground;
3. contentious ground;
4. open ground;
5. ground of intersecting highways;
6. serious ground;
7. difficult ground;
8. hemmed-in ground;
9. desperate ground.

Comments:
An information system is made up of several elements, several areas and various technologies, all of which
have strengths and weaknesses. It is worthwhile for the CISO to create and maintain an accurate inventory of the
assets under their responsibility. This will allow the CISO to assess the risks based on the criticality of these assets
and the interest they could present to potential attackers, whether they come from inside or outside the system.
⁂
Stratagem #42
Sun Tzu said:
Confront your soldiers with the deed itself; never let them know your design. When the outlook is bright, bring
it before their eyes; but tell them nothing when the situation is gloomy.
Comments:
When faced with blocking or stalled situations, the CISO must remain in control. To do this, they must avoid
falling into a state of panic. They keep a cool head and deal with the elements. They adapt their tactics to the
circumstances by taking advantage of what is offered to them, both positive and negative elements.
⁂
Stratagem #43
Sun Tzu said:
At first, then, exhibit the coyness of a maiden, until the enemy gives you an opening; afterwards emulate the
rapidity of a running hare, and it will be too late for the enemy to oppose you.
Comments:
Attackers like to take advantage of the panic that takes hold of their victim. Fear, panic and dread are the
CISO's inner enemies. Digital warfare is a state of mind that requires composure and valour. When the enemy plays
the surprise card, the seasoned CISO outwits them on the same field.
⁂
 CHAPTER 12

THE ATTACK BY FIRE

Stratagem #44
Sun Tzu said:
Hence those who use fire as an aid to the attack show intelligence; those who use water as an aid to the attack
gain an accession of strength.
Comments:
There is no need to repel the attacker by using the wrong weapon. The hardened CISO understands the value of
countering opponents by the means they use. Too often, warring parties act with their own feelings, their own
emotions, without putting themselves in the opponent's shoes, whereas the key to victory lies in using the right tool:
the one that sounds the enemy's defeat. What's the point of setting the lake on fire?
⁂
Stratagem #45
Sun Tzu said:
Hence the enlightened ruler is heedful and the good general full of caution. This is the way to keep a country at
peace and an army intact.
Comments:
Confrontation is the last option the CISO chooses, and this choice is dictated by necessity, for the wise CISO
knows that war has a cost to all parties in the conflict. They favor other avenues before embarking on the warpath.
⁂
 CHAPTER 13

THE USE OF SPIES

Stratagem #46
Sun Tzu said:
Hostile armies may face each other for years, striving for the victory which is decided in a single day. This
being so, to remain in ignorance of the enemy’s condition simply because one grudges the outlay of a hundred
ounces of silver in honors and emoluments, is the height of inhumanity.
Comments:
Monitoring the threat is an absolute necessity these days. It is no longer enough to know what there is to
defend, but to identify against whom and what to protect against. There are enough ways to collect information
about enemies or adversaries. That said, things must be linked together to anticipate collusion and incongruous
alliances. The CISO who invests little in their intelligence system is like a blind man in a minefield; they can only
rely on luck.
⁂
Stratagem #47
Sun Tzu said:
Now this foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor
by any deductive calculation.
Comments:
The difference between information and intelligence is that information is obtained passively and does not
necessarily correspond to a request. Intelligence is information that has been analyzed, verified and is of interest to
the requester. The CISO collects the information, evaluates it. They collect information directly or indirectly that
will enable them to maintain the level of security they claim. They are careful not to disseminate what they know
beyond the scope of their interests.
⁂
Stratagem #48
Sun Tzu said:
The enemy’s spies who have come to spy on us must be sought out, tempted with bribes, led away and
comfortably housed. Thus they will become converted spies and available for our service.
Comments:
If the CISO wants to win the battle, they must first and foremost set an example, both to their direct troops and
to their colleagues and management. When entering the battle, the CISO already knows how they will defeat the
enemy. They also know why things are done and pass it on in the form of motivation to the people involved.
However, they keep their secrets and doubts to themselves. They are in charge.
⁂
Stratagem #49
Sun Tzu said:
Hence it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for
purposes of spying and thereby they achieve great results. Spies are a most important element in water, because on
them depends an army's ability to move.
Comments:
In the face of their enemies, in the face of their adversaries, the skilful CISO uses division, fracturing the
alliances they are fighting. During digital attacks, they do everything possible to disperse and divide the enemy.
During budgetary exercises or internal negotiations, they break up opposing forces, fragment coalitions and split the
fronts they face.
⁂
THOUGHTS
 CHAPTER 14

THE (REAL) ROLE OF THE CISO

The role of the CISO

In his ancient, but very actual, Art of War, Sun Tzu invites us to reflect on the necessity to set up a strategy
prior to action, to war. Thus, Sun Tzu defines five factors that would ensure victory to the one who masters them.
In this article, you will find some food for thought in the form of questions and advice that will enable you to
correctly position your role as CISO in the organization that employs you.
As we all know, CISO is a difficult job. A role that is sometimes ungrateful and a function that is too often
ignored by top management. In short, a job full of preconceived ideas where those who talk about it the most are
often those who do it the least. And yet, when rereading the Art of War, one can only be amazed by this lack of
knowledge and interest for this job, which has become necessary for the smooth running of companies and, more
broadly, organizations.
There is no such thing as a good or bad CISO position, nor is there a good or bad company for an officer, but
there are bad CISOs. Think about it!
In this article, based on Sun Tzu's teaching, we will try to provide you with the best reading keys to adopt the
best possible strategy. At the very least, we will try to think together about the best way to lay the foundations of a
winning strategy. This requires work on oneself, a necessary introspection.
Strategy teaches us that we must constantly question the essence of our position as CISO. This does not mean
that we should hesitate and run around, of course. We are in a strategic part. We are not talking about tactics and
operations. Knowing our strengths and weaknesses as well as those of our opponents should allow us to ask
ourselves the right questions, regularly. The CISO position is constantly changing, yes. Because it is directly related
to the environment in which the CISO operates. A rising threat level, a new massive cloud deployment strategy, and
boom, you have to reinvent yourself, adapt and sometimes define new strategies in a kind of back to square one. Is
security cyclical?
Finally, strategy allows us to realize that there is a big difference between the perception of reality and reality
itself. How many times have you been caught crying wolf? How many times have you been told that the company
is not a target? Reality often materializes in the form of incidents for which, as a CISO, you had better be well
prepared.
Thus begins The Art of War:
"War is of vital importance to the state. It is the domain of life and death: the preservation or loss of the empire
depends on it; it is imperative to regulate it well. Not to give serious thought to what concerns it is to show a guilty
indifference to the preservation or loss of what is most dear to us, and this is what should not be found among us.
Nowadays, it is no different for economic activities. Firstly, because it is necessary to grow and conquer new
markets. Secondly, because there are many parties involved and the threats to information systems are increasing:
ransomware, espionage, disclosure of confidential information, entrapment... Moreover, the government and the
non-profit sector are not left behind when we look closely at the number of cybercriminal acts they are subjected to.
Sun Tzu continues:
"Five main things should be the object of our continual meditation and care, as those great artists do, who,
when they undertake some masterpiece, always have in mind the goal they propose, make use of everything they
see, everything they hear, neglect nothing to acquire new knowledge and all the help that can lead them happily to
their end ."
Being a warrior
The CISO is a warrior. Sure, he or she works in a defensive and legal environment, but they have a pivotal role
in the organization they work for. They lead the way when it comes to securing the digital and information
perimeter. During crises, it is the CISO who intervenes and advises on the attitude to adopt. The CISO is not a
builder, but a defender. To insist on the CISO's building side would be as big a mistake as using the talents of Le
Nôtre instead of those of Vauban.
To do this, as a CISO you need to ask yourself the following questions (if you haven't already):
- What is the mission of the company you work for? (what the CISO protects)
 - What is your mission and what are its limits? (the perimeter to protect)
- What influences the level of risk and the state of the threat? (what is the CISO fighting against)
- What are the best practices and methods to achieve your objectives? (how does the CISO protect its IS)
- What is your role as a CISO? (mission, promotion and communication)
- How have you defined your security processes? (preventive and curative means).
The CISO's mission always starts with the company's mission. If the company's mission changes, the CISO's
mission must change to match the company's mission.
In order to effectively organize their role, the CISO needs to be supported. That is to say (at best) a team
completed by many partners everywhere in the organization: managers, technicians, members of the board of
directors, legal department, production, marketing... (At worst) The CISO focuses on their sources.
Remember that if the CISO does not offer a clear vision for a clear future, then their strategy is not adapted to
the business world.
As a good strategist, the CISO takes into account the Five Factors defined by Sun Tzu. Accordingly, they will
pay attention to the following elements.
They focus on the security of the perimeter they are protecting and maintain this level in accordance with the
company's mission (doctrine).
They consider the changes of pace, take into account the seasonality of things and anticipate unpredictable
elements (weather).
They master their environment, including the past (obsolescence), the present (reality) and the future
(technological future and prospective) of the assets included in their perimeter (space).
They respect the orders they receive and ensure the level of acceptable risks decided by the senior
management. They ensure respect by diplomatic means and by means that are measured according to the stakes of
the context in which they operate (command).
If surrounded by a team or if they have local correspondents (or sources), the CISO ensures that they impose
the same doctrine as that imposed by their command and opts for a management style that is appropriate to the time
and space, i.e. the foreseeable or unforeseeable hazards that occur within the perimeter that they are responsible for
defending
In their dealings with the outside world, such as suppliers, partners, regulators or competent authorities, the
CISO behaves like a digital warfare professional. They restrict themselves to dealing with their perimeter and
nothing else.
These five factors must be evaluated regularly, especially in the world of information systems. This world
where everything changes quickly and where without adaptation, we die. Everything that the CISO imposes on
others, they must also impose on themselves. Setting an example is undoubtedly the best way to win hearts and
minds, as Sun Tzu rightly pointed out.

Knowing and being known

Often, those who evoke Sun Tzu put forward this famous sentence: "Know yourself as you know your enemy".
Precisely, the text reads, "Know the enemy and know yourself; in a hundred battles you will never be in danger."
First, you should ask yourself the following questions:
- Is your mission in line with the company's?
- Are you making the right decisions based on the scope you have to protect?
- Are you pursuing noble goals that serve your mission?
- Are you staying away from personal goals and third-party goals that run counter to your original mission?
- What situations offer the greatest benefit to your mission?
- What are the best ways and methods to organize your security processes?
- What are the stakes of the projects that are submitted to you?
- What are the best points of contact you have within the organization?
- Do you know the strengths and weaknesses of the assets you are defending?
 - Is your business knowledge sufficient?
- Is your knowledge of the company's business sufficient?
- Do you know the real threats to the system you are protecting?
- Do you know the potential attackers and their motivations?
- Would you be able to tell the difference between a direct and an indirect attack?
It is crucial for a CISO to be able to analyze the knowledge factors they need to secure their perimeter and
position.

Knowledge
In the information age, it is no longer possible to ignore the fact that information is an essential material for the
development of economic activities and for the sustainability of public affairs. The "need to know" is a notion that
deserves to be singled out by the results-oriented CISO. Indeed, while the CISO sorely needs skills and knowledge
(see previous point), above all they need intelligence.
Sun Tzu gives a special place to espionage in his book. There are about thirty references to the use of spies,
spread over the thirteen articles. Of course, he gives special emphasis to offensive espionage, but the defensive part
is not left out since he takes the following position: it is necessary to intoxicate the spies of the other side.
The same is true for the wise CISO. The latter must have the means to collect intelligence, i.e. enriched
information, both within the organization they serve and outside it.
To do so, they must rely on the intelligence cycle (needs-collection-processing-analysis-dissemination) and on
best practices in the field. It should also be noted that today, there are a multitude of tools that allow for the
collection of enriched intelligence on the state of the threat (threat intelligence). Intelligence acquisition should be
part of a clearly defined strategy.
Moreover, the skilled CISO is sharing their intelligence acquisition methods and tools with other departments.

Perceive
Sun Tzu states that war is a matter of perception. How you perceive your enemy and how your enemy
perceives you can determine the outcome of war.
Thus, Sun Tzu teaches us that the one who wins the war is often the one who feigns the best.
Sun Tzu said:
"There will be occasions when you stoop, and others when you pretend to be afraid. You will sometimes
pretend to be weak so that your enemies, opening the door to presumption and pride, will either come to attack you
at the wrong time, or let themselves be surprised and cut to pieces shamefully. You will see to it that those who are
inferior to you can never penetrate your plans. You will keep your troops always alert, always on the move and in
occupation, to prevent them from allowing themselves to be softened by a shameful rest."
There are many opportunities to misinform one's adversary, including technical solutions that mislead the
attackers during their reconnaissance phase on the perimeter. One should never hesitate to use them.
In more perilous situations, such as when the assailant turns out to be an insider (50 to 70% of serious cases
according to studies), these disinformation operations are more difficult to carry out. However, they are essential to
trap or defeat the insider.
The difference between reality and the perception of reality can prove to be a famous pitfall for the CISO. This
is particularly true for the perception that management may have of information systems security. We all know how
difficult it can be to make ourselves understood by neophytes. However, you should know that the business has a
similar perception of CISOs. Many of them think that "technicians" don't understand "business".
Being aware that reality and perception are two different things is crucial. Bringing these two ways of thinking
together, i.e., perceiving reality or making perception real, is essential to securing victory and to...

... win
The ultimate goal of a fight is to win. Whether it's fending off a digital assailant or securing the desired
budget, the wars fought by the CISO are many. However, it is important to differentiate between an enemy and an
adversary. This will be the subject of the next article. In the meantime, we leave you to ponder the following quote.
 "It is to prevent all these disasters that a skillful general forgets nothing to shorten campaigns, and to be able to
live at the expense of the enemy, or at least to consume foreign food, at a cost of money, if necessary."
 CHAPTER 15

THE PREPARATION

In the second chapter of The Art of War, named "engagement", Sun Tzu shows that in order to win a war, an
advanced preparation is important, or the right resources are needed at least. This article, made of seventeen verses
makes us reflect on the logistics and resources needed in order to win the war.
In the view of a CISO role, acquiring the means to act is not a small matter. Budget, resources, autonomy,
tools, digital assets, freedom of action are a lot of things that are sometimes difficult to fully obtain. So, the
forward-thinking CISO should take inspiration from what Sun Tzu proposes. This analysis is dedicated to this
matter.
But first, let us assume (simply) that this is a defensive war, that the CISO is getting ready for being under fire.
In a later analysis, we will discuss the offensive aspects of security.
To make it simpler, our bias in this analysis is that financial resources (budget) are the essential ‘’raw
material’’, since that from these resources flow the other elements necessary for victory: human resources, technical
resources, skills, standards, methods, tools and materials.
According to Sun Tzu: "(...) do not delay the battle, do not wait until your weapons get rusty or for sword’s
edges to become dull. Victory is the main objective of the war.”
As a CISO, the most important activity you should be engaged in is to ensure that your department-branch-
office-cell will not only be able to withstand the next attack -whether exogenous or endogenous- but also and more
importantly, the next ones. The effective strategy is not the one that will make you victorious on the outcome from
the next attack, but from the following ones. The effective strategy is the one that guarantees you the victory. This
may seem obvious, but it is essential to focus on having plenty of victories. Emerging victorious from an attack
must be embedded in the DNA of your defense strategy. Managing the security of an
information system (no matter how big or small it is) cannot be done without any resources. Money being (often)
the most important (and wanted) thing of war, the wise CISO has an interest in juggling figures and deadlines,
investments and returns. Indeed, although it is sometimes difficult to reconcile security costs with profits,
introducing the notion of a core profit often helps to open up more financial
opportunities. Unfortunately, security success stories are rarely tangible to a moneyman. What
does it mean to a neophyte to "handle an attack well" or "repel it"? And let's not talk about avoiding it, which is
intangible. Perhaps the analogy with comprehensive insurance is one way to go? But that is not enough, as we all
know.
In the best world, the budget flows freely, resources are unlimited, you have ten specialists on payroll, and you
can secure an army of consultants when it is necessary. In the real world, the CISO has to make choices. He cannot
afford to cover everything even if he has to consider everything. A cruel dilemma where Sun Tzu comes to our aid.
The aim for balance, between means and risks, their frequency and impact: that’s all you need for facing the next
wave. It is too common seeing a strong appetite for a curative rather than
defensive approach. As if it were a necessary justification. Yet, modelling attacks allows you to meet victory after
victory.

A question of strategy
In our first analysis, we mentioned the thoughts to be explored in order to set up and follow an effective
strategy. To sum up: the CISO's strategy must be adapted to the company's strategy. Mission against mission, vision
against vision, doctrine against doctrine.
Sun Tzu said: "The prince’s chests you work for will be empty,
your rusty weapons will no longer be usable, your soldiers zeal will slow down, their courage and strength will
vanish, supplies will be used, and perhaps you will even find yourself reduced to the most unfortunate
outcomes. What will most discredit you is never the attack or the sudden shutdown of the system
that you are protecting! What will damage your credibility, perhaps forever, is the number of times you cry wolf.
Anyone working in the security field knows that a near-miss accident is a great vehicle for luring in extra budgets.
The same applies to the prospect of sectoral or regulatory sanctions (GDPR, NIS, etc.). Doesn't this
demonstrate a lack of training? Moreover, isn't preparing for war on the eve of D-Day a
sign of weakness and a lack of strategy?

The incident: the budgetary yardstick

 In the early 2000s, there were fewer security incidents, but more importantly, companies communicated much
less about the downsides they encountered. After 2010, in many fields, it was fashionable to communicate about
incidents. After all, being a victim was not necessarily an admission of weakness. Nowadays, more and more
national and international obligations force companies and organizations to disclose some of their digital problems.
It is up to us CISOs to grab the opportunities that come with this, without crying wolf. It is now easy to get
feedback on digital incidents. In fact, many professionals in the sector offer so-called "threat intelligence" services
which include "use cases" that are often very instructive. Based on the incidents experienced by others or by the
organization you work for, it is easy to model typical accidents that will be used as a basis for budget
management. When you can measure what a war will cost, it is easy to know how much you will
have to invest in order to win it.

Magic formulas
As we have already mentioned, starting a war (even one you did not want or see coming) without means leads
to some unfortunate and unavoidable defeat. There is no such thing as luck in war, and the core weakness of your
enemy may determine your victory if you are not prepared. A question of probability, perhaps. Besides, it may be
that your enemy is not prepared enough, but this bet is risky.
«Assumptions will make you die.»
Without an effective preparation, the CISO's tactics will be plagued by assumptions that are only meant to
reassure him. This is why the CISO must invest in methodical and thorough preparation. Assumptions lead to
estimates that are often based on emotional aspects. It is better not to get involved in the battle if this is the
case. You may ask yourself: "How can you not engage in an attack? The answer is simple: in this case,
the only choice is to flee away, and the only way to flee away from the aggressor is to cut off the power supplies
and digital inductions. In this case, your incompetence to plan ahead will be shown, your pride slightly laughed at,
but the information system you are protecting will be safe.

Over- and underestimates

Like assumptions, estimates, whether high or low, reveal a form of incompetence. However, since they are
subjective, they do not stand up for long to effective and accurate preparation. In conventional warfare, as in
numerical warfare, one can estimate and assume many things. One can misjudge one's strengths or weaknesses, one
can prejudge the enemy's intentions and capabilities to act, one can be overconfident in one's own alarm systems or
claim to have impassable boundaries. The only thing that the wise CISO must assume is that it is necessary for him
to question himself. On the other hand, after the battle, it is crucial assessing and measuring the
effects of the battle and learning from them.

The cost of additional costs

There are many tools for securing an information system. Whether it is tools that block the path of undesirable
packets (firewalls), those that inspect them in detail (IPS) at various points of the system (antivirus and similar) or
monitoring and behavioral analysis appliances (SIEM), the range of defenses is wide. In any case, it is bigger than
the budget of the holder's wallet. It is therefore sometimes difficult for the CISO to obtain the equipment he
wants. Sun Tzu is very clear on this subject on several occasions: the tools and weapons for winning the war must
serve the political aims of the prince who leads it. In the same way, the wise CISO is careful to opt for tools that
offer at least a business advantage, as far as possible of course. Thus, the use of a state-of-the-art firewall will
optimize incoming and outgoing network flows, IPS will reassure partners in the exchange of flows, anti-virus
software will guarantee a high level of security during exchanges with the outside world and the retention of logs,
and their detailed analysis will make it possible to marginalize certain risky behaviors and to make better use of
bandwidth or even increasing employee productivity. If you manage to transform a security cost into a
core business profit, you are likely to find many allies, even among your other manager colleagues. This approach
also makes it possible to unite around a defense project. Therefore, you can participate in the security
indoctrination.

The "time" factor

Sun Tzu said:
"The essential thing is victory, not long-lasting operations". War even gets the most experienced
soldier tired. Imagine spending three days and a weekend fighting a ransomware and its devastating effects, while
monitoring your perimeter for anomalies and side effects. Your team is devastated, management can't take the
pressure, customers are harassing your sales colleagues and the markets are predicting a downturn towards your
company's stock. Your assailant cannot wait hearing from you and would like to see you finishing the job. These
situations are becoming more and more common. There are countless large companies and hospitals under
ransomware attacks. And while it is true that the time factor is important in this kind of crisis, the victory should not
be overlooked. It is all about finding the right balance between time and victory. The Art of War teaches
us that it is important to speed up the attackers and to shorten the battle in order to emerge
victorious. Most research on the future of cyber-attacks is unanimous: ransomware is by far
the most common attack vector for the coming years.

Starving the enemy

Sun Tzu says:
"(about the enemy) Do not give him the opportunity to bother him, destroy him in, find ways to irritate him to
make him fall into some trap; diminish his forces as much as you can, by making diversions, by killing him from
time to time some party, by taking away from him his convoys, his crew, and other things which may be of some
use to you."
A well-prepared CISO will already have a multitude of types of defenses that offer the possibility of, if not
deterring, then at least misleading the enemy. There are many methods to do this, and many tools as well. If this
defense strategy is already in place, it severely limits certain types of attack and discourages less sophisticated
attackers. The same is true when under fire. Although focused on defending the perimeter and on
ensuring that attacks do not get through, it is necessary to respond to attacks to deceive and get the enemy tired and
exhausted.

Frustration
In the notion of engagement, frustration is the backdrop to defeat. Indeed, while it is important to generate a lot
of frustration in our enemies to win the war, we should not forget that the enemy can use the same strategy against
us. Thus, this weapon can be turned against us and cause much disillusionment among our
troops and allies. What happens when a board of directors starts to doubt your ability to manage the crisis? What
does a CIO think when he realizes that the security investments he has made are in vain? The answer is simple:
frustration has just taken hold of your own side. There is an effective way to avoid frustration during
crises: you must be prepared. And there is only one way to do this: communication. On the one hand, you must
spread the anti-frustration discourse whenever it is possible. On the other hand, be prepared to communicate during
periods of crisis by considering this anxiety-provoking and often uncontrollable factor.

One final question

At the end of Article II (Waging War), Sun Tzu asks one final question: "What objects can be more worthy of
your attention and all your efforts?” This is perhaps the final question you should ask yourself before engaging in
war?

THE END

.
 Thanks

Thanks to all my ennemies, those from the past, the present and the future.