• United States



Security and the Tao of the Organization

Sep 25, 20092 mins
Business ContinuityData and Information SecurityIdentity Management Solutions

The military is a great matter of the state.It is the ground of death and life,The Tao of survival or extinction.One cannot but examine it.– Sun TzuWhen Sun Tzu wrote The Art of War, he was concerned with the organization and disposition of military units.  In his day, as is true in ours, the military was a tool for the accomplishment of political goals.  In our role as security professionals, we serve to further goals of organizations that fight on a competitive battlefield.Some of us are “foot soldiers”, fulfilling operational roles critical to the daily functioning of the company.  Others are the leaders – managers, CIOs, CISOs – who coordinate the tactics that realize strategic aims set by the sovereign.  While this hierarchy is common, the organizational Tao influences the way these elements are orchestrated.

According to Sun Tzu, the Tao is the Way – the context that defines how actions are perceived and valued.  In a business context, corporate values and culture define the Tao.  The success of any strategy depends on how it is supported by the Tao. 

Why does culture matter when it comes to security?  Is it not enough to expect compliance with published policies and procedures?  An August, 2009 interview with Wharton University’s Andrea M. Matwywhyn shows that the inculcation of a security mind-set is required to deal with evolving threats.  Additionally, an understanding of corporate culture enables the creation of effective security training.

It is important that a security program have the support of management.  However, the management team must be able to accurately assess the program in the context of the company’s cultural and political reality.  Failure to do this will inevitably create a clash between strategic security plans and the operational activities that enable that vision.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -