Close
  • Français
  • English

2018/09/26Art of war, leadership and cybersecurity (by François Gratiolet)

The strategy was first an Art of War before applying to business. The oldest text in this field is that of Sun Tzu (the Art of War), a Chinese general who lived 500 years BC.

Some studies have shown that companies whose leaders adopt a military approach and language perform better than those who refuse to consider their competitors as enemies. It is possible to draw ten lessons from the Art of War.

Previously operational and technical, the challenges of cybersecurity include both levers of confidence and business development that those to preserve and ensure the sustainability of the company. Beyond their business expertise, it is therefore up to those in charge of cybersecurity to understand the codes of corporate strategy and integrate them into their speeches and actions.

How can chief information security officers (CISO) leverage the principles of the Art of War into cybersecurity? 

  1. Be a strong and exemplary Chief Commander to unleash the full cybersecurity potential of your employees. In the event of a proven cyber-attack, your employees will be the first ones to react, and for this reason must be educated and trained accordingly
  1. Be careful and make budgetary reservesin case of data breaches, they are inevitable in the long run. It is all about managing the uncertainty
  2. Perform SWOT analyses(Strengths Weaknesses Opportunities Threats) to better understand your organisationand the cybersecurity function itself as well as its environment and cyber “enemies”. You will develop a cybersecurity strategy that is fully aligned with your organisation’s goals
  3. Reinforce your cyber defenses with continuous improvement. Cybersecurity is not a solution, a punctual project but a process!
  4. Innovate, for example by collaborating with tech startupsto deal with new digital usages and to cope with increasingly frequent and sophisticated cyberattacks
  5. Stop copying or following your peers in other organisations. Good cybersecurity practices (and frameworks) encourage organisations to “benchmark” each other. Benchmarking does not mean copying what another organisation does… Good practices need to be broken down by considering the organisation’s value chain and business issues. Thusbecome a specialist in your industry by implementing a target operating model that fits your organisation, maximizing your organisation’s cybersecurity performance
  6. Develop cybersecurity capabilities and offerings that are functionally and economically tailored to the needs of your business lines. For example, propose a 2-factor authentication (2-FA) solution for a group of low risk aversion users of an online service.
  7. To solve your problems today, do not use yesterday’s solutions! AI will be a great help to detect previously unknown attacks, reduce the number of false positives, cope with the lack of cybersecurity resources on the market ….
  8. Reduce your complexity to increase the cybersecurity efficiency of your organisation. Develop a readable offering for the rest of the organisation, automate cybersecurity processes as much as possible, adopt a DevOps approach in cybersecurity projects …
  9. Put your efforts and allocate resources in the right places and at the right level using strategy tools (value chain, Porter force, SWOT, Eisenhower matrix …). Protect firstly the “Crown Jewels”, i.e. the assets that create the most value for your organisation

Today CISOs must become military strategists to win the war against cybercriminals and other threatening agents. Organisations are in the line of sight of rapid attacks that compromise their customers’ data instantly and sabotage services.

Putting into practice the principles of the Art of War will reinforce the position of executive and leader of the CISO. The tools, skills and mindset inspired by corporate and military strategy are necessary! In addition to the methodological contributions, this includes acquiring a language that facilitates communication with board of directors, management committees, shareholders … but also all employees.