Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Cybersecurity is routinely performed under the guise of strategy, yet it is almost universally practised as a form of high-stakes reactivity. This is not for a lack of intelligence or intent among leadership; rather, it is the predictable outcome of a discipline that matured in the frantic crucible of technical virtuosity and immediate crisis. In an environment that rewards the visible heroics of incident response and the quantifiable progress of audit evidence, the quiet, analytical demands of strategy can feel dangerously like hesitation.

True strategy, however, demands precisely that: a form of disciplined restraint. It is the uncomfortable realisation that the most effective leaders are defined not by the fires they extinguish, but by the fires they choose to let burn. The classical strategists understood this tension as a fundamental law of conflict. Sun Tzu’s observation that victory is decided before the first banner is raised was not a mystical claim but a pragmatic one: it is an acknowledgement that conditions, not effort, dictate outcomes. Centuries later, Richard Rumelt would sharpen this into a modern axiom: strategy is a clear diagnosis of the real problem, followed by a coherent set of actions designed to overcome it. In the cyber realm, we have greedily absorbed the language of these thinkers while largely ignoring their required discipline.

When Security Becomes the Objective

The most consequential mistake currently sitting at the heart of the corporate cyber programme is the belief that “security” is the goal. It is not. Security is merely a means to an end—the end being the organisation’s continued ability to pursue growth, reliability, and innovation within a digital environment that remains stubbornly hostile. A cyber strategy that cannot articulate what it is protecting, and more importantly why, is not a strategy at all; it is an aspiration dressed up in the expensive livery of technical intent.

Sun Tzu’s relevance here is not in the “art of war”, but in the “art of the asymmetric”. His focus was on shaping conditions so that conflict, should it arrive, was cheap and manageable. When applied to the modern enterprise, this means deciding—explicitly and unapologetically—where resilience matters most, where friction is an acceptable cost of doing business, and where loss is simply a tolerable reality of operating in the 21st century. These decisions are inherently uncomfortable because they necessitate trade-offs, and trade-offs require the one thing most cyber functions lack: the organisational permission to say “no”.

The Three Layers of Perception

Cyber conversations often collapse into a circular, exhausted logic because we fail to distinguish between strategy, operations, and tactics. Strategy in this context lives at the friction point between business intent and digital risk. It is rarely a technical discussion. Instead, it asks the questions that make people shift in their chairs: Which business processes are existential? Where does the speed of the market outweigh the necessity of control? A serious strategy might conclude that the rapid recovery of a customer-facing platform is more vital than preventing the intrusion itself. These are not “control” decisions; they are orientation decisions, and they dictate the entire trajectory of the firm’s defence.

Operations is the layer where this intent either becomes reality or dissolves into noise. It is the discipline of sequencing and endurance. It recognises that Clausewitz’s “friction”—the inevitable fog and fatigue of execution—destroys more plans than any adversary ever will. A cyber function that pivots weekly between new initiatives based on the latest headline isn’t being “agile”; it is simply drifting.

Tactics, meanwhile, are the most seductive part of the craft. Incident response, red teaming, and vulnerability triage are visible, skill-intensive, and feel decisively productive. They are also entirely local and transient. Tactical excellence can, and often does, coexist with strategic failure. Many organisations respond with surgical precision to incidents while remaining fundamentally exposed to the same underlying forms of loss, year after year. To borrow from the Stoics, it is the difference between being a skilled rower and actually knowing which way the current is moving.

A Lived Example: The Courage of Bounded Risk

A few years ago (in a prior role), following a high-quality red team exercise, we were presented with findings that were as well-evidenced as they were uncomfortable. The natural institutional instinct was to close every gap and uplift every control immediately. On a dashboard, this would have looked like responsible management. In reality, it would have cannibalised the engineering capacity of a revenue-critical platform that had nothing to do with the exercise but everything to do with a vitally important business unit’s market strategy.

The strategic question was not whether the findings were valid—they were. The question was: What loss actually matters most to the business over the next eighteen months? The answer was not “improving a maturity score” but ensuring the continuity of the revenue engine. We made the counterintuitive decision to accept certain risks as “bounded” and redirected our limited capital towards recovery capability and identity controls that reduced the blast radius across the entire estate. There was nothing heroic about the decision, and it made for a particularly dull board report, but it aligned our effort with reality. That is what strategy looks like in practice: it is quiet, often misunderstood, and profoundly boring to those who crave tactical drama.

There is a further, often unspoken force shaping cyber strategy: regulation itself. Regardless of whether a particular standard, circular, or supervisory focus reflects an organisation’s internal risk assessment, the moment a regulator asks a question, it reshapes the terrain. Attention must be paid. Resources must be allocated. Sequencing must change. This is not necessarily misalignment; it is a fact of operating in a regulated space, where fear, reputation, and institutional self-preservation exert their own quiet gravity. Sun Tzu would recognise this immediately. Terrain does not need to be fair to be decisive. The strategic failure is not acknowledging its impact but allowing externally imposed obligations to crowd out deliberate choice about what actually matters most.

Thucydides, writing of Athens and Sparta, reminds us that even the most rational actors are ultimately driven by fear, honour, and interest—a triad that still governs how boards, regulators, and executives respond to cyber risk under pressure.

The Board-Level Postscript

For those at the executive level, the distinction between these layers is the difference between governance and interference. A mature cyber function should not be judged by the absence of issues but by the presence of clear, calm, and coherent decision-making under constraint.

When the board asks, “Are we secure?”, they are asking a tactical question that invites a defensive answer. The more sophisticated enquiry—the one that drives real value—is: “Are we managing digital risk in a way that supports our risk appetite and business objectives?” This requires clarity on three things:

1. Materiality: Which systems would cause genuine, material harm if lost? If everything is a priority, nothing is.

2. Explicit Trade-offs: Every control introduces friction. We must be honest about where we are choosing speed over security and why that choice is justified.

3. Trajectory over Activity: Metrics should indicate whether we are becoming more resilient to the losses that matter, not just how many “activities” we performed this quarter.

If cybersecurity is to mature as a business discipline, it must reclaim its classical lineage. We do not need louder dashboards or faster responses; we need clearer thinking about what matters and the discipline to leave the rest behind. This kind of thinking is slower; it does not reward short attention spans, and in an era of digital volatility, that is precisely why it is our only real competitive advantage.

Further Reading: Strategic Lineage, Not Cyber Canon

The argument in this piece does not originate in cybersecurity. It draws instead from a longer tradition of strategic thought concerned with power, constraint, uncertainty, and human behaviour under pressure. For readers who wish to explore that lineage more deeply, the following works are particularly instructive.

They are not recommended as military texts but as guides to judgement in complex, regulated, and adversarial environments.

The Art of War (孙子兵法 / Sun Zi Bing Fa)
Sun Zi’s enduring relevance lies not in tactics, but in orientation. His central insight is that outcomes are shaped less by effort than by conditions: terrain, timing, asymmetry, and perception. In modern organisational terms, this translates to understanding which constraints matter, which risks can be shaped rather than eliminated, and where indirect advantage is preferable to direct confrontation.
For accessibility and modern context, Anthony Cummins’ interpretation is particularly readable. For those interested in fidelity and nuance, bilingual editions with side-by-side Chinese and English text offer valuable insight into Sun Zi’s emphasis on judgement over prescription.

On War – Carl von Clausewitz
Clausewitz is often misunderstood as a theorist of violence rather than a philosopher of constraint. His concepts of friction, fog, and the subordination of action to political purpose are directly applicable to contemporary organisations operating under regulatory pressure, resource scarcity, and imperfect information. His work explains why well-intentioned plans fail in execution and why coherence matters more than precision. On War rewards slow reading and resists simplification, much like the environments it describes.

Good Strategy Bad Strategy – Richard Rumelt
Rumelt provides a modern, unsentimental articulation of strategy stripped of mystique. His framing of strategy as diagnosis, guiding policy, and coherent action is especially relevant to cyber and governance contexts, where activity often substitutes for thought. This work is invaluable for distinguishing genuine strategy from ambition, slogans, or accumulated effort. For boards and executives, it offers a practical language for challenging “busy” programmes that lack a clear theory of value.

The Prince – Niccolò Machiavelli
Machiavelli is best read not as a moral provocateur, but as a realist observer of power, legitimacy, and institutional survival. His insights into appearance, authority, and the gap between intent and outcome remain highly relevant to executives navigating stakeholder expectations, regulatory scrutiny, and reputational risk. Where Sun Zi focuses on terrain, Machiavelli reminds us that perception itself is terrain, and that leaders are often judged less by outcomes than by how their decisions are understood.

History of the Peloponnesian War – Thucydides
Thucydides offers perhaps the clearest account of how rational actors behave under pressure. His framing of decision-making as a tension between fear, honour, and interest explains why organisations frequently act against their own stated preferences during crises. For boards and regulators confronting cyber risk, this work is particularly illuminating. It should be read not as military history, but as a study of governance, escalation, and institutional behaviour in conditions of uncertainty.

Taken together, these texts converge on a single insight: strategy is not the accumulation of activity, but the disciplined management of power and constraint. They remind us that the hardest part of leadership is rarely execution itself, but deciding what is worth executing, in what order, and at what cost.

That challenge has not changed in two millennia. Only the terrain has.