Before the First Move Is Made
A field note on Sun Tzu, strategy, and why cybersecurity outcomes are decided long before the first move is made.
Sun Tzu said “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.”
In strategy, an outcome is rarely decided in the moment of action.
Long before a battle is fought, conditions are set. Decisions are made. Assumptions harden into structure. By the time the first move is visible, the path to success or failure has often already been chosen.
This idea is not new.
In Sun Tzu’s The Art of War, strategy is not framed as aggression or tactics, but as understanding. Victory doesn’t come from reacting faster than an opponent. It comes from knowing the terrain, the conditions, and the enemy well enough that conflict unfolds predictably.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
In other words, victory is decided before conflict ever begins.
That perspective fundamentally changes how we think about modern systems.
In cybersecurity, failures are often treated as sudden events. A breach. An outage. An incident. But those moments are rarely the true beginning of the problem. They’re the visible result of decisions made much earlier--when systems were designed, responsibilities assigned, and tradeoffs accepted.
Architecture is one of the clearest expressions of this idea. Every system is encoded based on a set of beliefs about how it will be used, who will interact with it, and what kinds of failures are considered acceptable. Those beliefs may be explicit or implicit, but they shape behavior all the same.
When the knowledge behind those decisions is incomplete, inaccessible, or siloed, the system inherits that blindness.
This is why access to knowledge matters.
If victory is decided before conflict, then withholding knowledge guarantees defeat before the first move is made.
When knowledge is restricted, decisions degrade. When decisions degrade, architecture calcifies. And when architecture no longer reflects reality, failure becomes inevitable long before any attacker appears.
This is the part we keep forgetting: security isn’t only a technology problem. It’s a decision-making problem. And decision-making collapses when the people shaping systems can’t access the information required to understand the consequences of their choices.
Before the first move is made, the outcome has already been decided.