How Cyber Security can benefit from Chinese Strategic Thinking

This is likely to become a series of posts I’ll be doing over the coming months, as there’s no way I could write what I’d like to about this subject in a single blog post.

Over the past year or so, I’ve been focusing a significant part of my learning and development time on the issue of Strategy, particularly Cyber Security strategy and, maybe by accident, but I ended up being drawn or find a particular set of resources that have been shaping my views and understanding of it. Here are a few:

  • Wardley mapping —A great introduction which I’m proud to be part of the Patreon group (created by Benjamin Mosior) funding its development is In terms of Chinese strategic thinking, Wardley mapping is heavily influenced by it as at the high level it’s comprised of Sun Tzu’s Five Factors (Purpose, Landscape, Climate, Doctrine and Leadership) and an OODA (Observe, Orient, Decide, Act) cycle developed by John Boyd and heavily influenced by Sun Tzu and early Western Complexity thinking
  • Cynefin framework —Created by Dave Snowden, it’s a sense-making framework. You can find a basic introduction which then relates it to Cyber Security by Phil Huggins here. It provides methods and approaches to understand your environment and categorise situations as ordered, complex or chaotic and helps ensure we apply appropriate methods to deal with situations depending on their nature. I’m currently over 1/3 of doing a proper course through Cognitive Edge, so I expect my full appreciation and application to be improving over the coming months. I asked Dave Snowden not long ago on Twitter about his thoughts on how the Tao relates to Complexity, in particular how Confucionism interacted with Daoism to stabilise Chinese society. Really looking forward to that. Of particular relevance in Strategic thinking, is how Sun Tzu’s approach is systemic (“dealing with nothing in isolation, with full appreciation of relationships and contexts” Derek M C Yuen) and how Dave Snowden refers to Complexity as “being about linkages, not things”. I believe there’s more to how they relate to each other than hasn’t been explored by Western authors
  • Art of War by Sun Tzu — In particular, Derek M C Yuen’s book entitled “”Deciphering Sun Tzu: How to read the Art of War”. There’s a whole host of reasons (part of what I’ll be exploring in the future) why Chinese Strategic thinking has been eluding most Westerner’s and mainly it relates to language (dialectics) and culture. Yuen argues that Art of War is one of the most misquoted books in history, arguing that “most people reduce the text to short and decontextualised axioms, aphorisms, and phrases”, and that’s what happens when there’s no grasp of Chinese philosophy
  • Tao Te Ching — Yuen also makes the case that Tao Te Ching, is not just a philosophy work but a strategic text, as it addresses gaps left by Sun Tzu in the Art of War namely with regards to the political and non-military arenas. It’s on my To Do list to read a different translation of the book as the one I have seems to be too focused on philosophy so it’s been hard for me to fully grasp the strategic application. More on that soon.

Some of the concepts, which I’ll explore in further blog posts such as Yin/Yang polarity of opposites, issues of form, deception, bifurcation of labour in war as in attacking and defending, configuration of power and deployment of forces, conditions-consequences as opposed to means-ends thinking, theory of control, absolute flexibility and absolute objectivity are some of the key concepts that have been almost literally blowing my mind.

Not only with regards to the usefulness and practicality of its implications, but also because I’m finding there are many instances, frameworks and approaches in our currently available practices which map spectacularly against them and I’ll be trying over the coming months to synthesise, distil and make hopefully useful analysis on how applying some of these concepts can help us navigate the complexity of Cyber Security as a whole whilst also helping us set Strategy by following timeless principles, hopefully doing away with a lot of the memes, Gartner-quadrants, simplistic 2x2s and Compliance-driven “strategery”.

A lot of what I plan to write deals exactly with dialectics as until we have a different way of expressing ourselves and perceiving cyber challenges, wee’ll keep being blind to different ways of doing things.


Cat Swetel has recently made some brilliant comments I’ll refer to now.

Understanding strategy is or should be mostly about “epistemic justice”, and sharing tools to understand both strategy (Wardley) and Complexity (Snowden) is about sharing information so some stop believing that defining and setting strategy is the domain of geniuses or expensive consultants.

Be aware Situational Awareness is NOT common, so a good percentage of those settings strategies are potentially/probably just following memes and these resources I mentioned, I believe have the opportunity to bring strategic thinking and understanding to wider audiences so we can start challenging each and improve together