Sun Tzu and the Tao of the Organization

October 27, 2009 by ADMIN

Share |

By Steven Fox, Founder of SecureLexicon

The military is a great matter of the state.
It is the ground of death and life,
The Tao of survival or extinction.
One cannot but examine it.
- Sun Tzu

When Sun Tzu wrote The Art of War, he was concerned with the organization and disposition of military units.

In his day, as is true in ours, the military was a tool for the accomplishment of political goals.

In our role as security professionals, we serve to further goals of organizations that fight on a competitive battlefield.

Some of us are “foot soldiers”, fulfilling operational roles critical to the daily functioning of the company.

Others are the leaders – managers, CIOs, CISOs – who coordinate the tactics that realize strategic aims set by the sovereign.

While this hierarchy is common, the organizational Tao influences the way these elements are orchestrated.

According to Sun Tzu, the Tao is the Way – the context that defines how actions are perceived and valued. In a business context, corporate values and culture define the Tao.

The success of any strategy depends on how it is supported by the Tao.

Why does culture matter when it comes to security? Is it not enough to expect compliance with published policies and procedures?

An August, 2009 interview with Wharton University’s Andrea M. Matwywhyn shows that the inculcation of a security mind-set is required to deal with evolving threats.

Additionally, an understanding of corporate culture enables the creation of effective security training.

It is important that a security program have the support of management.

However, the management team must be able to accurately assess the program in the context of the company’s cultural and political reality.

Failure to do this will inevitably create a clash between strategic security plans and the operational activities that enable that vision.

* * *

Stay Informed With ISR News Alerts:

* * *

Steven Fox is an independent information security consultant. He holds a Masters in Business Information Technology from Walsh College, an NSA recognized Center of Excellence. He serves on the board of the Detroit ISSA chapter and is a columnist for the ISSA Journal. He is also the founder of SecureLexicon , a security advisory firm addressing the unique security concerns of nonprofit organizations.

Originally published at CIO

He can be contacted at sfox@securelexicon.com
Follow him on Twitter - @SecureLexicon
Join Steven’s LinkedIn Network

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.

Share |

Filed under: Breach, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, PCI, Sarbanes-Oxley, Steven Fox, Uncategorized, hackers, identity-theft, malware, national security, privacy

Tags: (ISC)2, 2009, access, Andrea M. Matwywhyn, Anthony M. Freed, best practices, bypass, CEO, CGEIT, CIO, CIPP, CISA, CISM, CISSP, compliance, computer, confidential, consumer product liability, control, COO, Costs, CPA, criminal, CSI, cyber security, cyber-crime, cybersecurity, D and O liability, Data, developers, DRI, due diligence, Economy, electronic database, enterprise security, Finance, Financial, Financial Identity, Financial InfoSec, governance, Government, hackers, IIA, Infoduciary, Infofiduciary, Information, Information Fiduciary, Information-Security-Resources.com, InfoSec, infrastructure, Internet Security Alliance, Intrusion Detection Engines, ISACA, ISR, ISSA, law, legal, liability, management, misuse, national security, News, protocol, regulations, regulatory, risk, SecureLexicon, Security, software, Steven Fox, Sun Tzu, System, systems, Tao, testimony, The Art of War, third party, valuation, vendors, Wharton University

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Categories
- Anthony M. Freed (26)
- Bill Brenner (2)
- Bob Violino (1)
- Bozidar Spirovski (23)
- Breach (540)
- Britt Womelsdorf (5)
- By Dr. InfoSec (2)
- Cara Garretson (7)
- CCCNews (1)
- Chorey Taylor & Feil (8)
- Christophe Veltsos (2)
- Christopher Burgess (7)
- CIOZone (26)
- Class Action Lawsuit (111)
- Cloud computing (106)
- Coby Royer (5)
- CTO Forum (9)
- D&O Liability (594)
- Daniel Wallace (5)
- Danny Lieberman (11)
- DataLine (10)
- David Alexander (2)
- Derek Crawford (1)
- Doug Pollack (7)
- due diligence (303)
- Fame Foundry (1)
- FEATURE ARTICLE (428)
- Financial (580)
- Fred Leland (7)
- Gene Kim (3)
- Government (366)
- Greg George (5)
- H1N1 (15)
- hackers (532)
- healthcare (127)
- Heather Bourgoin (1)
- HomeATM (8)
- identity-theft (528)
- IDExperts (17)
- Ike Z. Devji (1)
- Infosec Island Network (31)
- Insider Threat (483)
- Internet Crime Complaint Center (1)
- Internet Security Alliance (64)
- ISR News (321)
- Jacqueline Herships (2)
- Jenni Hesterman (3)
- John M. Salomon (2)
- John Watkins (7)
- John-Patrick Skaar (2)
- Kaliber Data Security and Compliance Consultants (3)
- Kat Sanders (2)
- Ken Leeser (3)
- Kevin L. Jackson (10)
- Kevin M. Nixon (21)
- Larry Ketchersid (1)
- Laton McCartney (7)
- Lauren Taylor (1)
- Linda McGlasson (1)
- malware (494)
- Mark Smail (1)
- Mark Wright (1)
- Mel Duvall (3)
- Michael Eggebrecht (3)
- Michael Lohr (1)
- Michael O'Conner (4)
- MicroSolved (1)
- Mike Duncan (3)
- Mike Meikle (4)
- Mike Spinney (1)
- Military (204)
- national security (446)
- PCI (301)
- PCI Security Standards Council (32)
- Physical Security (11)
- privacy (545)
- Rachel James (10)
- reach (4)
- Rebecca Herold (16)
- Richard Stiennon (44)
- Robert Siciliano (34)
- Sarbanes-Oxley (495)
- ScamStop (2)
- Sean Wilkins (2)
- Semyon Dukach (1)
- Simon Heron (14)
- Software Associates (11)
- Steven Fox (19)
- SUPERAntiSpyware (3)
- Sybase (6)
- Symplified (5)
- The Jester (8)
- The Privacy Professor (16)
- Thomas R. Fox (8)
- Tom Groenfeldt (2)
- Tom McLain (2)
- Trefis (14)
- Tripwire (18)
- Uncategorized (621)
- virtualization (94)
- Webcast (49)

Copyright © 2008 To Present · Information-Security-Resources.com (Permissions and Disclaimers) You are welcome to use, for any lawful purpose, the information that WE write and post to this site, provided that you link to and attribute Information-Security-Resources.com and the author(s). Any 3rd-party material linked to or referenced on this site is subject to the rights of the owners of that material.

We provide business consulting services. We do NOT provide legal or financial advice. There is no attorney / client relationship, or any privilege associated with our services. Nothing expressed on this site, or in association with our services, should be taken as legal counsel or financial advice. The opinions expressed on this site are the personal opinions of the writer(s), not those of any other individuals or organizations.

Theme: Copyright © 2008 · Revolution Code Blue designed by Brian Gardner

Information-security-resources.com is part of the Infosec Island network.