In the military, the art of strategy is key. It teaches how to win a war through a series of battles, campaigns and tactics. In the cybersecurity world, we have been on the defensive side for as long as we can remember. We focus on frameworks and tactics such as Defense in Depth, the onion or defensive layer theory, and perimeter security. And that’s why threat actors still have control of the battlefield today. Instead, in order to become more cyber resilient, we need to take a leap into the offensive side, always thinking about our enemies’ strategies.

In “The Art of War,” Sun Tzu says “Tactics without strategy is the noise before defeat.”

Thinking only about tactics will always put you in a reactive position. So, you will always make short-term decisions based on a previous ad-hoc solution.

These short-term tactics won’t work in the long run against the changing face of cyber threats. Instead, we need to look at the bigger picture. Let’s focus on strategies that will lead to winning the war, not just a battle.

Building a Strategy for a Cyber Resilient Enterprise

Security teams are always under persistent pressure, fighting multiple battles on different front lines. These front lines are only going to get larger and more rugged in the future, especially with an increasing number of devices. After all, it’s now normal for employees to control, manage and monitor the shift into containerization, 5G networks and the use of artificial intelligence.

IBM’s 2020 Cost of a Data Breach Report reveals that, even with today’s applied controls, the average time to identify and contain a breach is 280 days. And a breach costs an average total of $3.86 million. That is the red flag that we need to act on a strategic level. And that requires shifting our mindset to a top-to-bottom approach. Let’s take a look at the five steps required to do that.

Define Risk

We’ve written before about taking a risk-driven approach to security, which can contribute to being more cyber resilient. There are several ways to do this, including following an official framework like NIST, ISO 2700 and COBIT.

As we wrote before, “Frameworks are becoming the strategic tool of choice to assess risk, prioritize threats, secure investment and communicate progress for the most pressing security initiatives.”

The defining risk step is also a good time to work with professional security services. They can help you identify what parts of your business are most vulnerable and which should be the top priority to secure.

Define Crown Jewels

What exactly needs to be cyber resilient? Well, all of your assets, but even more so the most critical ones. It is common to refer to critical data and assets as ‘crown jewels.’ It would be great to protect the entire enterprise and every crown jewel. The challenge is finding them all and knowing which ones are the target. In “The Art of War” Sun Tzu says, “If he sends reinforcements everywhere, he will everywhere be weak.’’

So, we need to track high-value assets and information flow in the enterprise and evaluate risk posture over time to flag and remediate business impacts.

Know Your Enemy

Warriors win by studying the enemy’s strategy. When becoming more cyber resilient, that strategy includes the tactics that help attackers get in, stay hidden and steal stuff. Knowing their strategies leads to keeping your defensive strategy up-to-date on an ongoing basis. ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles,” says Sun Tzu.

The MITRE ATT&CK framework is a good tool at this stage. It provides you with the tactics you need and the strategy on top to link these tactics and threat vectors.

Practice, Practice and More Practice

Hard practice on the field is what will make sure you’re cyber resilient on boom day (an actual attack). This is where putting in the time and effort will pay off. Boom day is where the compromise happens, left of boom is what you could have done to prevent this, and right of boom is what you should do to recover. And one should always be ready for the pre-boom time, the boom and the aftermath.

How do you get ready? First, conduct blue/red team exercises on a regular basis. Even better, add purple team activities to align objectives. You can run test attacks to find gaps and find room for improvement. Last but not least, having skilled employees is your first line of defense. IBM’s Global Cyber Resilient Organization Report outlines that 61% of those surveyed attributed skilled employees as a top reason for becoming more resilient.

As Jerry Rice says, ‘’The enemy of the best is the good. If you’re always settling with what’s good, you’ll never be the best.”

Cyber Resilient Lessons for Today

How do you know you’re doing all of this right? Review outcomes as an iterative process, talk to your team and find out what worked and what didn’t. KPIs and metrics are key here so that you measure and improve.

One thought we should always keep in mind is that security is always integrated. Whatever tech you deploy needs to be built based on your strategy. Avoid the ‘big bang approach’ of deploying multiple tools to give yourself the illusion of safety. IBM’s Global Cyber Resilient Organization Report finds that those surveyed are using more than 45 different security tools on average, leading to less effective security, not more.

In the end, we must keep on adapting to each cyber threat. By knowing yourself, the enemy and the terrain, you can continuously evaluate your strategy so that you’re always one step ahead.

More from Intelligence & Analytics

2022 Industry Threat Recap: Finance and Insurance

The finance and insurance sector proved a top target for cybersecurity threats in 2022. The IBM Security X-Force Threat Intelligence Index 2023 found this sector ranked as the second most attacked, with 18.9% of X-Force incident response cases. If, as Shakespeare tells us, past is prologue, this sector will likely remain a target in 2023. Finance and insurance ranked as the most attacked sector from 2016 to 2020, with the manufacturing sector the most attacked in 2021 and 2022. What…

And Stay Out! Blocking Backdoor Break-Ins

Backdoor access was the most common threat vector in 2022. According to the 2023 IBM Security X-Force Threat Intelligence Index, 21% of incidents saw the use of backdoors, outpacing perennial compromise favorite ransomware, which came in at just 17%. The good news? In 67% of backdoor attacks, defenders were able to disrupt attacker efforts and lock digital doorways before ransomware payloads were deployed. The not-so-great news? With backdoor access now available at a bargain price on the dark web, businesses…

Cyber Storm Predicted at the 2023 World Economic Forum

According to the Global Cybersecurity Outlook 2023, 93% of cybersecurity leaders and 86% of business leaders think a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years. Additionally, 43% of organizational leaders think it is likely that a cyberattack will affect their organization severely in the next two years. With cybersecurity concerns on everyone’s mind, the topic received top billing at the recent World Economic Forum’s Annual Meeting 2023 in Davos, Switzerland. At the meeting, Matthew…

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…