If you have not read Part-1 please see the link

Tzu sets out a 3 phase approach to threat management:

1. Know yourself.

2. Know your enemy.

3. Know yourself in a battle against the enemy (Implied).

Classic 'Security' is a cocktail of audit, regulation, and introverted inspection of corporate defences by polyester-clad analysts; as to know yourself has often been the Phase 1 of risk reduction (Tzu); and M&S fashion (Me). 

This use of observation or past assessment is important for monitoring change, but as we have seen with COVID this cannot drive strategy for anything dynamic or unknown, nor can it tell you why it has changed. It is, however, important to inform the direction or focus of change.

Another example of how COVID shows parallels with Cyber. The WHO thought it knew the risks, having controlled recent epidemics of SARS, Swine Flu; but that learnt experience, observation, and scientific discovery was wrong.

In the early '00's Cyber lived in the age of limited data; it was before the dawn of the information age. 'Business Protection' was limited to the inside knowledge, vendor mailing lists, vulnerabilities, pen-testing and CISSP. There was little choice; lots of uncertainty and lack of valuable alternative approach for rounded defence. With solid firewalls, malware heuristics and, an AUP to defend against all known threats, why did we change?

One driver was the improved technology that eased detection, the other was easier ways to commercialise crime. This rewrote the threat model significantly, as crime went through a massive shift in monetisation, partly thanks to BitCoin. Presently Cyber Security has multiple streams of information, with intelligence casting a bright light on many typical Cybercriminal methods. Tzu would say this was Phase 2 of threat management.  

However, many of us do not link the internal review to external intelligence or use this to plan and test defences, when Intelligence-led defence has been the most successful approach for millennia.

As the COVID response developed, we see that improved monitoring, testing and early indicators are leading the more surgical approach to control the virus.

Enter Phase 3, General Cyber has much to learn from the UK Financial sector (namely through CBEST), as directed by the Bank of England (BoE). It turned the tide from 2013 with better use of Threat Intelligence, to analyse, model and map how threats could result in a serious impact to the sector; with exercises such as 'Waking Shark'.

Just as the world pulled together the Science, the limited statistics, and experience in response to COVID, the BoE had to do the same. This approach was to counter the increased risk from the Nation-State and the legendary APT (Advanced Persistent Threat), who were not limited to a testing scope hinged on a firewall, or an Audit of your ISMS (Information Security Management System) therefore better protecting Critical National Infrastructure; end Phase 3 of Tzu Threat Management.