Gary Hibberd


25th January marks the Chinese New Year! So …

Gung hay fat choy! (wishing you great happiness and prosperity)

According to Chinese horoscope, 2020 is the year of the Rat, meaning the year is going to be a strong, prosperous, and lucky year for almost all of us! Great news!

In honour of this time of year I wanted to bring both the historical and the digital together by introducing you to Sun Tzu. Because if Sun Tzu was around today, I’m convinced he would be a cybersecurity consultant.

Who was Sun Tzu?

Around 2,500 years ago Sun Tzu, a general in the Chinese army, a philosopher, and a military strategist wrote the earliest, and still the most revered, military texts in the world – The Art of War.

The Art of War was said to have been studied by Napoleon Bonaparte, and other renowned leaders throughout history.  It is still required reading at many military schools around the world, and everyone from Richard Branson to Steve Jobs and Elon Musk have studied his work.

The book is broken down into different topics and sections, covering areas such as ‘Laying Plans’, ‘Weak points and Strong’, and even ‘The use of spies’’. It’s believed that the book was originally a series of letters and texts that were later pulled together into one volume (some say that Sun Tzu never actually existed and it’s the work of several authors, but let’s just give Sun Tzu the credit until someone can prove otherwise).

Why is it relevant?

Most of us (thankfully) don’t feel the effects of the wars that are currently taking place around the globe. But there is a war that we are affected by, and it’s happening right now before our eyes, and below our fingertips. Cyber warfare is very real and happening right here and right now.

Even if you don’t believe the hype that cybercriminals or state-sponsored attacks are on the increase, you have to admit that there is a war taking place to gain your attention. Digital distraction and information overload are on the increase, so we need to be better prepared for this new kind of warfare.

To help us do this, I’ve taken one of my personal favourite sections of The Art of War and expanded on it below for you to consider and perhaps internalise to yourself, or your business.

Getting to know you

In business we know it makes sense to have a risk management process in place where we look at our business and ask “What could be a risk to us?” But you’d be amazed how many organisations don’t do this risk assessment very well, nor do they dig deep enough.

Knowing your strengths and weaknesses make your organisation stronger. It’s so obvious, that Sun Tzu wrote about it 2,500 years ago…

“If you know the enemy and know yourself, you need not fear the result of a hundred battles…”

What Sun Tzu is telling us is that we need to understand ourselves, and the enemy (cybercriminals?), and if we do then we’ll be better prepared and able to win in any battle. 

Does your organisation consider the external threats to your business? The things that can go wrong? I’m guessing you do. I’ll bet you have “Threat from cybercrime” or “Hackers”, or something similar on your Risk register.

If you do, then that’s great and you’re on the right path, but what someone in your business needs to understand is the story behind these risks. Someone should be asking;

  • Who are the cybercriminals / attackers?
  • Why would they attack us? What is their motive?
  • What information would be most valuable to them?
  • What would they do with the information if they got hold of it?
  • Where are we most vulnerable to attack?

This is something as a cybersecurity consultant I have to understand and consider for my clients on an ongoing basis; It’s my job to know the enemy.

Sun Tzu goes on to say that;

“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.”

Risk management normally doesn’t go into this level of detail, but someone needs to be asking – and answering – these questions. So don’t just try to understand the Risk; Try to know your enemy.

Know your strengths

If you’re following a good approach to Risk Management, you’ll probably be identifying the controls you have in place to prevent the risk from occurring. You might audit your processes, and you might even carry out Penetration Tests, where you get cyber experts to simulate an attack on your systems. 

These are all good practices and I’d highly recommend you do them. But are they enough? 

Do they only confirm what you already know? Are they highlighting your strengths? Or are they just showing you where you are weak? Are you doing the same thing month-on-month, year-on-year?

Audits and Penetration Tests should help you understand both your strengths and weaknesses. Each time you conduct an audit or Penetration Test you need to re-evaluate what you’re looking for and trying to achieve.    


Sun Tzu has a stark warning for those who don’t look to understand the risk of cyberattack, don’t look to understand the enemy and aren’t sure of their own strengths and weaknesses;

“If you know neither the enemy nor yourself, you will succumb in every battle.”

Basically, it should come as no surprise that if you haven’t prepared for the eventuality of being attacked, then you’re going to lose every time.

Putting Sun Tzu’s quote together then, this cybersecurity expert from the past is sending us a clear message;

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. “If you know neither the enemy nor yourself, you will succumb in every battle.”

Sun Tzu has some great advice for us, and ‘The Art of War’ should be on your reading list if it isn’t already  His words speak to us from across the years, and are as relevant today as they ever were – perhaps even more so.

So now you’ve read this blog, my question to you is; What are you going to do today to begin to understand yourself, or the enemy better?

If you have read Sun Tzu, then what’s your favourite quote? How have you internalised it and what benefits did you get from it?

Good luck.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >


See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >


In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >