Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Today's info security involves all systems in the chain; to use an old maxim, "No chain is stronger than its weakest link". The ICT world has become so interconnected that holistic system thinking is needed, with systems outside the organizational border to be involved and accounted for. ICT criminals are using increasingly sophisticated attack methods, often based on the victim's system architecture. In the Dec 2020 security breach at the network management firm Solarwinds in the US, an external party had added a trojan horse package to the Solarwinds management system. The hack gave the hackers stealth control of both Solarwinds as its 18.000 customers' internal system environments. Including high-security targets like the FBI, Homeland Security, and Microsoft. 

The attack was sophisticated, using the Solarwinds system knowledge, standards, and code layouts. Anyone not doing a deep survey would see Solarwinds code. The trojan was well-known but rewritten to the standards of the target. Solarwinds shows that we now entered a "new brave world", demanding a much more structural system discussion, how to protect our ICT. Based on this attack's sophistication, this was probably a 7- or 8-time successful attempt. We need solid enterprise-wide, system-coordinated security perspectives. But, how can we use system thinking to help plan a better and more cost-efficient security approach on an enterprise-level? For 14 years, this researcher worked with info security in a global automotive company, having the Viable System Model as its internal system model. When not "sabotage" by managers, yes, it happened; VSM worked fine. VSM also works fine with securing modern laws like GDPR when having an enterprise perspective. Info Security desperately needs enterprise system thinking.