How ancient Chinese Classics, Great Learning, remains relevant in modern information security profession. This presentation will show side by side of what was true back in 400 BC, can also apply to modern day 21st Century. It is also the first book on MaaS (Management as a Service).

1. Great Learning &
Information Security
how ancient Chinese Classic remains relevant
in modern information security
Chuan Lin, CISSP

2. Great Learning Background
Who Wrote it
• Zengzi, a disciple of Confucius,
wrote Great Learning.
What is it
• It is the first self-help book that
withstood the test of time and the
first Management as a Service
(MaaS) to others.

3. Great Learning Background II
When was it written
• It was written sometime between
445 – 436 BC during the Spring
and Autumn Period of Chinese
history when China was in a feudal
sovereignty that consisted of a
hundred city states which owed
loyalty to the Zhou Dynasty.
Where was it flourish?
• At the time it was written, Great
Learning was just another school
of thought that contended with
hundreds of other ideas. Later, it
became one of three main core
philosophies of China.

4. Great Learning Background III
Why is it matter?
• Its opening statement is no different than the mission statement from (ISC)2 and
SAN Code of Ethics.
• While the knowledge of 10 domains and technical information are necessary for the
information security professional, a person’s ethical standard is expected but not
much direction is given other than to follow various laws/ruling like HIPAA, SOX,
GLBA, Safe Harbor, etc.
• I believe Great Learning can be a useful guide for the Information Security
(InfoSec) Professional ethic.

5. Goals of Great Learning/InfoSec
What do we want to accomplish with our lives and our career?

6. “
”
大
學
之
道
，
在
明
明
德
，
在
親
民
，
在
止
於
至
善
。
The Dao of Great Learning is to illustrate illustrious virtues,
to renovate the people, and to rest in the highest excellence.
Safety of the commonwealth, duty to our principals, and to each other requires that we adhere,
and be seen to adhere, to the highest ethical standards of behavior.
- (ISC)2 Code of Ethics

7. The Dao of the Great Learning is to illustrate illustrious virtues, to
renovate the people, and to rest in the highest excellence.
GAIC Code of Ethic
• Respect for the Public
• Respect for the Certification
• Respect for my Employer
• Respect for Myself
SANS Code of Ethic
• I will strive to know myself and be
honest about my capability
• I will conduct my business in manner
that assures the IT profession is
considered one of integrity and
professionalism.
• I respect privacy and confidentiality.

8. 7 Steps to Illustrating
Illustrious Virtues
Seeking Self Improvement First

9. “
”
知，止，定，靜，安，慮，得
knowing, ceasing, steadying, calming, quieting, pondering, obtaining
7 Steps of Acquiring Illustrious Virtues
How can these seven internal self improvement have an impact
on oneself and one’s InfoSec career in modern time?

10. 知Knowing
Self Improvement
• In a corporate world, we are trained to exploit the
company’s strategic strengths while shoring up the
company’s weakness.
• In an engineering environment, we are trained to find
and rectify any product defects before they go to
market.
• Shouldn’t we train ourselves to find weakness within
ourselves before we or someone else initiates a zero-
day attack against us?
InfoSec Professional
• I have to know a company’s security status;
where are its strengths; where are its
weaknesses.
• I have to know the company's business goal, its
chain of command, its culture, its behaviors,
and its processes.
• I have to know their defenses-in-layers
structure, their logs control, their state of
readiness, their state of responsiveness, and etc.

11. 止Ceasing
Self Improvement
• Ceasing is to prevent the breach of trust.
• To Cease one’s vices through gradual
reduction, redirect attention to healthier
alternatives, or going through cold turkey.
• To Cease through forming new habits,
rewarding for achieving milestones, and
attending support groups.
InfoSec Professional
• Ceasing is to prevent the breach of trust.
• To Cease internal risks through reduction,
mitigation, avoidance, or elimination.
• To Cease through log controls, separation
of duty, enforcement of least privilege,
secured software development lifecycle,
and make employees more security aware.

12. 定Steadying
Self Improvement
• We know our strengths and
weaknesses.
• We curb our indulgences and capitalize
on our strengths.
• These will give us the confidence
against external pressures and attacks.
InfoSec Professional
• We know our company’s security
status.
• We have reduced our company’s risk
level.
• This will give us the confidence to
remain level headed when external
threats appear.

13. 靜Calming
Self Improvement
• You’re only able to maintain
calmness after patching your flaws
because you don’t have to worry
about them been exploited.
• A peace of mind leads to a healthy
body.
InfoSec Profession
• Calming comes when the company
is safe from internal and external
threats.
• Calming allows the company to
plan its business strategy.

14. 安Quieting
Self Improvement
• Quieting is the result of Calming.
While Quieting allows you to think
clearly, Calming allows you to act
without disruption.
• Quieting allows you to focus on the
task at hand without distraction.
InfoSec Profession
• The company that is secured and well
defended is free to focus on pursuing its
objectives.
• Security awareness has become a part of
the business culture or norm that
employees are able to sharpen their
security mindfulness without intruding or
interrupting to day-to-day work function.

15. 慮Pondering
Self Improvement
• Without worry, without stress, you are
free to digest information to determine
how it improves your health, your
social/family life, and your career.
• You are able to plan ahead of where
you want to be in 6 months, 1 year, 5
years, or even 10 years.
InfoSec Profession
• Pondering allows a company to analyze its
business or marketing objectives, to review
its information technology, and to anticipate
future trends/threats.
• Previously in Ceasing and Steadying states,
the company is focused on managing
immediate risks. At Pondering, the company
now has the luxury to look ahead to
anticipate new risks and be prepared for
them.

16. 得Obtaining
Self Improvement
• Peak virtuous state:
Stress free from fear of personal flaws
Have an actionable life plan
Achieving equilibrium of body and
mind
InfoSec Profession
• Peak security awareness state:
COBIT’s Optimizing Process
ITIL’s Optimized Maturity
Assessment Level
Security Awareness Roadmap: Metrics
Framework

17. Internal Sagacity,
External Sovereignty
How To Renovate People and Rest at Highest Excellence
Or How to Manage Self Before Managing Others

18. 格物，致知，誠意，正心，脩身
Investigation of Things, Knowledge, Sincerity, Rectification, Self Cultivation
• Before managing others, first make
sure you have successfully managed
yourself.
• You must be able to withstand the
scrutiny of others.
• Your actions, your behaviors, and
your words will be constantly
observed and judged.
• This is especially true in the
age of Facebook, Twitter, and
Instagram where every little
transgression will be caught on
camera and spread like wildfire.
• There are people who love nothing
more than to tear down a public
figure.

19. 格物Investigation of Things
Self Improvement
• …to know ten thousand things around you in
order to use them to help Heaven Below…
• Know your stuff outside your work
• All things have a beginning and an end.
• All things have patterns.
• All things have purpose whether you
realize it or not.
InfoSec Profession
• Information Security is about providing data
availability, confidentially, and integrity.
• Ideally, we like to get involved at the beginning of
all projects because of our concern for
information security.
• Externally, we need to know what regulations,
laws, and audits are required for this project.
• Internally, we need to know what our
administrative, technical, and physical constraints
are for this project.

20. 致知Knowledge
Self Improvement
• Know who you are in relation with all things
around you
• Regardless of your status, you want to be
cherished, to be appreciated, and to be
respected.
• You will experience the march of time; you
are responsible for your actions.
• These things can’t be brought, or negated
with money, with power, or with fame.
InfoSec Profession
• We share our knowledge with key consultants,
managers, programmers, and other project
members.
• They need to take into account our information
security concerns in project designs.
• Any data leak will be a detriment to the
company image, reputation, confidence, and
not to mention, possible lawsuits.

21. 誠意Sincerity
Self Improvement
• Sincerity is the best policy. This is a tried and true
cliché that has withstood the test of time.
• And in the age of information society, it is the
only policy.
• Why? Everything you’ve done is recorded, saved
for posterity, and can be accessible online. When
you apply to a highly prestigious, high paying,
and/or highly recognized position, you will be
scrutinized.
InfoSec Profession
• We show the sincerity of our concerns toward
data preservation through sharing our findings
with others and advocating security awareness.
• We will be tempted to speed up projects, or not to
put too many restrictions into current designs in
order to expedite the process, to move things
along, or to beat the deadlines.
• But then, we have to realize that the law of
consequences is at play here. Our involvement is a
series of tradeoffs of short term expedience vs.
long term data security.

22. 正心Rectification
Self Improvement
• If you are sincere in your beliefs, then
your heart will be in the right place and
your actions will be proper.
• Why? Our actions result from our
thought process, whether conscious or
subconscious.
• And if you can’t be true to yourself,
then how can you be true to others?
InfoSec Profession
• No matter how many or whichever
elements our projects entail, our heart
has to be in the right place.
• Our heart lies in the credo that we
upheld upon joining (ISC)2 or GIAC.
• We must apply due diligence in our
involvement with all projects. Our
actions have to be as true as our words.

23. 脩身Self Cultivation
Self Improvement
• Self-cultivation is about straightening the
heart.
• Those with anger, their hearts are
not straightened.
• Those with fear, their hearts are
not straightened.
• Those with desire, their hearts are not
straightened.
• Those with worry, their hearts are not
straightened.
InfoSec Profession
• While we ourselves strive to straighten our hearts,
we must watch out for employees who display:
• Anger
• Fear
• Desire
• Worry
• These have a higher probability of being a threat.

24. 齊家 治國 平天下
Maintain Family, Regulate State (Company), Pacify Heaven Below (the Gird)
• The Great Learning is the first classic
on Management as a Service (MaaS).
• Only interested in self improvement?
Stop after Self Cultivation
• Interested in maintaining a household or a
department? Stop after Maintain Family
• Interested in running a government
agency or a company? Stop after
Regulate State
• Interested in doing the greater good, or
managing a multi-national corporation?
Continue to Pacify Heaven Below
• External Sovereignty is less about utilizing
the latest and greatest technology and
more about managing people.
• Social Engineering is the battle of hearts
and minds that can get passed through the
world’s most secured firewalls, IDS, IPS,
and defense in layers.
• Social Engineering is another term for spy,
grifter, scammer, con artist, and trojan
horse.

25. 齊家Maintain Family
Self Improvement
• Maintaining a household comes about
after self-cultivation.
• You should avoid creating too much
• Favoritism
• Disapproval
• Fear
• A man who doesn’t know about his son’s flaw is
like a man doesn’t know about his crop’s health.
InfoSec Profession
• Maintaining a department comes about after
self-cultivation.
• It should be free from
• Favoritism
• Disapproval
• Fear
• As these will decrease employees security
awareness.

26. 治國Regulate State (Company)
Self Improvement
• When a family acts humanely, the entire
nation promotes humaneness.
• When a family acts with deference, the
entire nation promotes civility.
• When a man is ruthless and corrupt, the
entire nation goes rogue.
• Hence, a word can instigate an incident; a
man can regulate a nation.
InfoSec Profession
• When a department behaves securely, the
entire company promotes vigilance.
• When a department limits its access, the
entire company promotes data control.
• When a man is ruthless and corrupt, the
entire company becomes vulnerable.
• Hence, a word can instigate a threat; a man
can secure a company.

27. 平天下Pacify Heaven Below (the Gird)
Self Improvement
• A Gentleman practiced the Dao of Rules
& Regulation.
• Follow the Dao (of Great Learning), the
crowd and the nation follows. Lose the
Dao, lose the people, and lose the nation.
• Speak out contrarily; receive a contrary
response. Receive ill gotten wealth; out it
will flow with interest.
InfoSec Profession
• An InfoSec Professional lives and
breathes the Code of Ethic.
• Practice InfoSec, others engage and
company enacts. Disregard InfoSec,
others forget, and company neglects.
• Law of Consequence can be found in
personal, social, career, financial and
political aspects.

28. Great Learning & InfoSec Recaps
• As the first self-help book, it has withstood the test of time. As the first
book on MaaS (Management as a Service), it shows how to serve others by
first improving oneself.
• Instructions for management are no different than instructions for self
improvement. It is all about Lead by Example.
• Despite advanced technology, people’s heart and soul still remain the same.
They can enforce or enfeeble information security.