Introduction
Sun Tzu’s "The Art of War" is a legendary strategic treatise written more than 2,500 years ago. Its enduring principles of warfare strategy have transcended military boundaries, influencing disciplines from business management to competitive sports. In today’s digital age, its relevance is increasingly apparent in the cybersecurity landscape, particularly for CISOs of medium-sized enterprises, who face unique challenges balancing resource constraints with sophisticated cyber threats.
For these CISOs, understanding Sun Tzu’s principles could offer valuable strategic insights, helping them better prepare, respond, and adapt to cyber threats. Yet, not every lesson from this ancient text directly translates to modern-day cybersecurity. Some tactics remain timeless, while others have clearly become obsolete or impractical in today’s digital context.
The central question therefore arises: Which insights from "The Art of War" continue to offer critical advantages in the realm of cybersecurity, and which should be reconsidered or abandoned entirely? This article explores this question, providing clear examples and actionable advice tailored specifically to the realities of today’s medium-sized enterprises in Germany.
Sun Tzu’s Five Terrible Sins of a General in Cybersecurity
Sun Tzu lists five dangerous faults that can doom a general and his army in The Art of War. These are psychological or character-based weaknesses that enemies can exploit. Sun Tzu’s point: a general’s mindset and temperament are just as critical to success as his strategy.
1. Recklessness
Recklessness in cybersecurity refers to the dangerous oversight or neglect of fundamental security practices. Often stemming from a false sense of security or the mistaken belief that an enterprise is "too small" or insignificant to be targeted, recklessness includes actions such as ignoring timely patch management, neglecting regular employee cybersecurity training, or failing to adequately monitor and respond to potential vulnerabilities.
A poignant example is the widespread exploitation of the MOVEit file-transfer service vulnerability. In 2024, attackers from the Cl0p ransomware group successfully leveraged a zero-day vulnerability to infiltrate numerous organizations worldwide. Despite timely availability of security patches, delays in their implementation allowed attackers to compromise more than 8,000 organizations, resulting in over 1,500 confirmed data breaches and exposing the sensitive information of approximately 100 million individuals (Verizon, 2024). This breach clearly demonstrates the severe consequences of neglecting prompt software updates and vulnerability management.
This case underlines a critical lesson: Vigilance and proactive cybersecurity measures must form the baseline of any corporate security strategy. Regularly updating software, promptly applying security patches, and maintaining continuous employee training are not optional but foundational practices. Enterprises must adopt a culture of proactive vigilance rather than reactive damage control. By doing so, medium-sized companies can significantly reduce their risk exposure and minimize the devastating impact that recklessness can have on their operational continuity and financial health.
2. Cowardice
Cowardice in cybersecurity manifests as avoidance behavior, hesitation to act decisively, or a reluctance to promptly inform stakeholders about critical security incidents. This often arises from fear of reputational harm, regulatory penalties, or simply the uncertainty of decision-making under crisis conditions. The result is typically delayed incident response, ineffective communication, and prolonged recovery periods, exacerbating the damage caused by cyber incidents.
An illustrative real-world example is the ransomware attack on a municipal IT service provider in Germany in October 2023. After discovering encrypted data on its servers, the provider hesitated to decisively manage the incident by promptly informing external experts and affected stakeholders. Instead, internal deliberations significantly delayed an effective response. Due to this hesitation, critical municipal services experienced severe disruptions, impacting around 72 municipal customers and affecting at least 1.7 million residents. The prolonged downtime led to significant operational challenges, with many IT systems remaining partially or entirely offline for months. It was later revealed that prompt engagement of external cybersecurity expertise and transparent communication with stakeholders could have mitigated the extensive disruption (Bundesamt für Sicherheit in der Informationstechnik [BSI], 2024).
This incident underscores the essential lesson that proactive incident response plans and regular readiness drills are critical. Organizations should regularly conduct cybersecurity incident simulations to build management confidence and reduce hesitation in crisis scenarios. By preparing executives and teams through realistic practice scenarios, medium-sized enterprises can overcome cowardice, enhance their response capabilities, and significantly reduce the potential impact of cyber incidents.
3. Excessive Sense of Honour
An excessive sense of honour in cybersecurity often arises from pride or embarrassment, compelling management to conceal cybersecurity breaches or minimize their significance. This misguided sense of reputation protection can significantly hamper transparent incident management, ultimately intensifying both the scale of damage and the resulting financial and reputational fallout.
A notable example involves the recent U.S. Securities and Exchange Commission (SEC) regulations introduced in 2023, mandating timely disclosure of significant cybersecurity incidents. Despite these clear regulatory requirements, some well-known companies have fallen short of compliance, providing insufficient details about cyber incidents in their disclosures. Such noncompliance typically stems from corporate reluctance to publicly acknowledge vulnerabilities or security failures, driven by concerns over reputational damage. This inadequate reporting not only violates SEC guidelines but also undermines investor trust and regulatory confidence, potentially leading to enhanced scrutiny and penalties (Zscaler ThreatLabz, 2024).
The Verizon Data Breach Investigations Report (2024) repeatedly emphasizes the critical importance of transparency during cybersecurity incidents. Transparency not only fulfills regulatory obligations but also maintains stakeholder trust. Admitting mistakes openly and promptly positions the organization as responsible and trustworthy, turning cybersecurity breaches into opportunities for organizational learning and improvement. Hence, fostering a culture of openness and accountability helps enterprises recover more swiftly and effectively, transforming potential crises into valuable learning experiences.
4. Uncontrolled Temperament
Uncontrolled temperament refers to emotional overreaction by cybersecurity leaders when confronted with threats, mistakes, or provocations. Emotional responses can cloud judgment, impair decision-making, and significantly harm team morale and trust.
A relevant insight comes from the Rubrik Zero Labs Report (2024), which reveals that only 56% of employees feel comfortable reporting security incidents. The main reason for underreporting is fear of punishment or embarrassment — a direct consequence of how leadership reacts to mistakes. This highlights the importance of a psychologically safe environment: If cybersecurity leaders respond with frustration or blame, they risk silencing their most important sensors — the human ones.
According to Daniel Goleman’s influential work Emotional Intelligence in Leadership, effective leadership demands measured and thoughtful responses, especially during stressful situations. Emotional intelligence training can equip cybersecurity leaders with the skills to manage stress constructively, foster a supportive atmosphere, and strengthen internal trust. Ultimately, controlled temperament ensures clear-headed, strategic decision-making — crucial for effective cybersecurity management.
5. Excessive Concern for Subordinates
Excessive concern for subordinates, while seemingly commendable, can lead to overly cautious leadership and indecisiveness, especially in critical cybersecurity scenarios. Leaders overly focused on avoiding staff overload or stress may inadvertently delay essential initiatives or interventions, jeopardizing organizational security.
An illustrative example from the Semperis 2024 Ransomware Report highlights that organizations frequently underestimate the true scope and cost of ransomware, leading to delayed or insufficient cybersecurity measures. Specifically, the report indicates that many businesses hesitate to make necessary investments in critical cybersecurity infrastructure and practices, primarily due to concerns about overburdening their IT and security teams. This cautious approach, while aiming to protect staff well-being, inadvertently exposes organizations to repeated successful ransomware attacks. Indeed, the study revealed that 74% of organizations victimized by ransomware within a 12-month period experienced multiple attacks, many within the same week, significantly amplifying damage and recovery costs (Semperis, 2024).
The essential lesson here emphasizes the importance of balancing empathy for staff well-being with decisive action. Effective leadership requires strategic clarity and timely decisions, especially in cybersecurity, where delays can dramatically escalate threats. Rather than avoiding necessary changes, leaders should proactively communicate the importance of cybersecurity initiatives, providing clear justifications and adequate resources to support staff. Regular training, prioritization, and strategic clarity can help teams manage workloads effectively while addressing critical security concerns. Ultimately, this balance between empathy and decisiveness is crucial for protecting an organization from cyber threats without compromising team morale or operational efficiency.
Preparing for the Inevitable Cyber Attack
Sun Tzu advises, “Do not hope that the enemy won’t come, but rely on our readiness.” This ancient wisdom perfectly encapsulates a critical mindset required in today’s cybersecurity landscape: attacks are inevitable, and preparation is paramount. For CISOs and cybersecurity leaders of medium-sized enterprises, adopting the "not if, but when" philosophy is essential to effectively managing risks and protecting organizational assets.
The inevitability of cyberattacks is starkly highlighted in recent statistics from the Bundesamt für Sicherheit in der Informationstechnik (BSI). According to the BSI Lagebericht zur IT-Sicherheit (2024), 93% of German companies experienced cyber incidents within the past year, with medium-sized enterprises being particularly targeted due to their typically less robust security measures compared to larger corporations (BSI, 2024). The report underscores significant increases in ransomware attacks, data breaches, and phishing incidents, causing severe financial and operational disruptions, notably in manufacturing, healthcare, and public sectors.
Acknowledging that cyber incidents are a matter of "when," not "if," requires shifting from reactive strategies to proactive preparedness. Regular cybersecurity drills and incident response simulations significantly enhance organizational readiness. For example, the British Library’s response to a severe ransomware incident highlights the effectiveness of well-prepared crisis management. Upon detecting the breach, they immediately activated their pre-established incident response committees, clearly delineated roles and responsibilities, and maintained transparent communication internally and externally, which greatly contributed to their swift and structured recovery (British Library, 2024).
Furthermore, ongoing risk assessments are critical to identifying, evaluating, and mitigating threats proactively. The Rubrik Zero Labs Data Threat Report (2024) emphasizes this, stating:
"It’s no longer a question of if, but when a cyberattack will impact your organization. Preparation can be your secret weapon. Leaders must not only develop a response strategy but put it into practice so that when an attack happens, you have the right team, solutions, and processes in place to quickly restore your business"
— John W. Thompson Former Microsoft Chairman of the Board, Former Symantec CEO (Rubrik Zero Labs, 2024, p.17).
Thus, Sun Tzu’s principle of preparedness remains profoundly relevant today. Medium-sized enterprises must embrace a culture of readiness, emphasizing regular drills, robust incident response teams, and thorough risk assessments. Adopting this proactive stance ensures enterprises can respond quickly and effectively, minimizing damage and safeguarding their long-term operational stability and reputation.
Can We Really Make Our Cyber Defenses "Unassailable"?
Sun Tzu famously advised, “Not counting on the enemy not attacking, but on our positions being impregnable.” This statement reflects an ideal of absolute security that many cybersecurity leaders aspire to achieve. However, in today’s complex digital infrastructure, the notion of truly unassailable cyber defenses is increasingly seen as an unattainable ideal. Digital networks have become exceedingly interconnected, dynamic, and reliant upon third-party services and cloud infrastructure, dramatically expanding potential attack surfaces.
Realistically, no organization can claim absolute invulnerability to cyber threats. The sophistication and resources available to cyber adversaries, ranging from highly organized criminal syndicates to nation-state actors, make the complete prevention of breaches almost impossible. As German SMEs frequently integrate more deeply into global digital ecosystems, vulnerabilities multiply rapidly, making the pursuit of total cybersecurity perfection impractical.
Acknowledging this reality, experts advocate shifting the strategic goal from total prevention to robust "Cyber Resilience." According to the European Union Agency for Cybersecurity (ENISA) and its Cybersecurity Resilience Framework, resilience prioritizes an organization’s ability to maintain continuous business operations even in the face of successful attacks. Rather than aiming solely at impregnable defenses, resilience encompasses early threat detection, rapid containment, effective response, and swift recovery capabilities.
The British Library’s experience following a severe ransomware attack in 2024 exemplifies this resilience-focused strategy. Recognizing that no security is perfect, the British Library emphasized the critical importance of quickly recovering from attacks. They established the "Rebuild & Renew Programme," designed around immediate crisis response (Respond), interim recovery solutions (Adapt), and the creation of long-term resilient infrastructure (Renew). This structured approach enabled the British Library not only to recover swiftly but also to strengthen their defenses against future incidents (British Library, 2024).
Additionally, Shay Reddy, CISO at Hanna Andersson, highlights that fundamental resiliency involves securing organizational data so that if traditional defenses fail, businesses can quickly recover and resume operations (Rubrik Zero Labs, 2024):
Protecting your organization and its data comes down to fundamental resiliency. And resiliency comes from securing your data. In the event that a cyberattack makes its way through traditional defenses, if your data is secure, you have the opportunity to quickly recover your business and come out on the other side.
— Shay Reddy, CISO at Hanna Andersson
Practical advice for enhancing cyber resilience begins with developing robust detection mechanisms, including continuous monitoring and real-time alerting systems that swiftly identify anomalies and suspicious activities. Rapid containment strategies, such as automated isolation of compromised network segments, help limit the impact of an attack. Equally critical is the implementation of comprehensive disaster recovery and business continuity plans, ensuring swift and structured recovery from incidents.
Ultimately, Sun Tzu’s advice remains conceptually valuable, though modern enterprises must reinterpret the idea of "impregnable positions." Achieving absolute security may be unrealistic, but cultivating robust cyber resilience is both achievable and essential for the digital age. Organizations that prioritize detection, containment, and rapid recovery will position themselves effectively, not by claiming invulnerability, but by confidently managing and mitigating inevitable cyber risks.
How C-Level Leaders Stack Up Today
When assessing how current C-level executives measure against Sun Tzu’s criteria, it becomes clear that today’s cybersecurity landscape poses unique leadership challenges. Sun Tzu’s emphasis on strategic foresight, calmness under pressure, and clarity in decision-making remains strikingly relevant, yet executives often fall short in key areas.
Modern leadership studies, notably Daniel Goleman’s research on emotional intelligence, highlight common pitfalls such as reactive decision-making, inadequate communication, and insufficient stakeholder engagement in cybersecurity management. According to the Rubrik Zero Labs Report (2024), 64% of surveyed leaders indicated their IT and SecOps teams were only somewhat or not aligned when it came to organizational defense strategies. This misalignment underscores the communication gaps and organizational disconnect often prevalent in cybersecurity management.
Leaders frequently underestimate the human dimension of cybersecurity, treating it purely as a technical issue rather than a comprehensive organizational challenge. The Verizon Data Breach Investigations Report (2024) illustrates this vividly, noting that human error accounts for 28% of data breaches, emphasizing the critical need for broader stakeholder engagement and robust cybersecurity awareness programs (Verizon, 2024, p. 8).
Moreover, studies have shown that executives often prioritize short-term financial objectives over long-term cybersecurity resilience, reflecting Sun Tzu’s warnings against recklessness and shortsightedness. The IBM Cost of a Data Breach Report (2024) highlights this tension, revealing that more than half of the affected companies experienced severe cybersecurity talent shortages, exacerbating risks due to insufficient long-term investment in personnel and training (IBM, 2024, p. 4).
Effective risk management also demands strategic clarity. As pointed out by Akamai’s Defenders’ Guide (2025), successfully prioritizing cybersecurity risks involves maximizing impact while minimizing resource use—a task requiring precisely the type of strategic foresight advocated by Sun Tzu (Akamai, 2025, p. 4).
Practical recommendations include promoting ongoing security awareness across all organizational levels, enhancing leadership accountability for cybersecurity outcomes, and fostering a culture shift toward transparency and resilience. Effective C-level leaders should regularly engage with cybersecurity teams, actively participate in incident response drills, and communicate transparently about threats and vulnerabilities.
By aligning leadership practices with these insights, executives can significantly strengthen their organizations’ cybersecurity posture, reducing risks and better navigating the complexities of today’s digital threats.
Conclusion
In revisiting Sun Tzu’s "The Art of War", it becomes evident that while certain tactics—such as striving for absolute impregnability—are outdated given today’s complex digital infrastructures, many of its core principles remain strikingly relevant. Recklessness, cowardice, misplaced pride, uncontrolled temperament, and excessive caution, though originally outlined for the battlefield, resonate clearly within modern cybersecurity management. For CISOs in medium-sized enterprises, the key lies not in rigid adherence to ancient doctrines, but rather in a balanced integration of timeless strategic wisdom with contemporary best practices. The path forward involves fostering a security culture built upon resilience, transparency, and proactive preparedness. CISOs must act decisively to embed these principles deeply within their organizations, ensuring not just the effective management of inevitable cyber threats, but also the sustained trust of stakeholders and the long-term viability of their enterprises in an increasingly uncertain digital landscape.
References
- Akamai’s Defenders’ Guide 2025. (2025). Akamai. https://www.akamai.com/resources/state-of-the-internet/cybersecurity-defense-guide-2025
- C. David, Hylender, Philippe Langlois, Alex Pinto, & Suzanne Widup. (n.d.). 2024 Data Breach Investigations Report. Verizon. Retrieved May 28, 2024, from https://www.verizon.com/business/resources/Tda3/reports/2024-dbir-data-breach-investigations-report.pdf
- Cost of a Data Breach Report 2024. (n.d.). Retrieved March 29, 2025, from https://www.ibm.com/downloads/documents/de-de/107a02e94948f4ec
- Die Lage der IT-Sicherheit in Deutschland 2024. (2024). Bundesamt für Sicherheit in der Informationstechnik (BSI). https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2024.html
- Goleman, D. (1998). Emotional Intelligence in Leadership. Harvard Business Review.
- Learning lessons from the cyber-attack—British Library cyber incident review. (2024). British Library. https://www.bl.uk/home/british-library-cyber-incident-review-8-march-2024.pdf
- Semperis 2024 Ransomware Risk Report. (n.d.). Semperis. https://www.semperis.com/ransomware-risk-report
- The State of Data Security—The Human Impact of Cybercrime. (n.d.). Rubrik Zero Labs.