Organisational development for security

A circle of chairs in a room with large windows. The chairs are occupied by a diverse group of people, some leaning forward, some listening carefully. On a nearby wall, someone has written "What will our security posture actually achieve in a year?" in large letters.

Virginia Satir’s work in family systems therapy was extended by Gerald Weinberg and others into organisational settings. Its central observation is that people under stress revert to survival stances: placating (keeping the peace at the cost of honesty), blaming (directing fault outward to avoid accountability), computing (retreating into procedure to avoid feeling), or distracting (disengaging altogether). These are not character failures. They are predictable responses to threat, and they are extremely common in security work.

Satir’s congruence model asks that actions, words, feelings, and context be in alignment. When they are not, communication breaks down, trust erodes, and change becomes impossible. In an incident response context this can mean the difference between a team that surfaces problems early and one that manages upwards until the situation is unrecoverable.

The practical implication for building an ISMS is that compliance frameworks describe what an organisation should do, but Satir’s work describes how people actually behave when asked to do it under pressure. A security culture that accounts for this will produce procedures that hold in a real incident, awareness programmes that build genuine capacity rather than checkbox confidence, and teams that can be honest about what is not working without fear of what that honesty will cost them.

Building security organisations that are genuinely resilient, not just compliant:

Culture beats campaigns