As I begin another year in the security industry, I’m hopeful that during 2017 we see our profession focus on Enterprise Security Risk Management, and that we begin the journey to identifying ourselves more closely as enterprise risk professionals.
ASIS International fuelled some of my optimism in November 2016 when they announced the resurrection of Enterprise Security Risk Management (ESRM) as a strategic priority for ASIS and its members worldwide. As a new member of the ASIS Board of Directors, I’m encouraged to see the focus on addressing risks across an enterprise, and how a security program can positively affect the risk posture of an organization while enabling business objectives through the treatment of risk. For those who’ve read this column over the past couple of years, you know where my passion lies — helping an organization achieve its objectives by identifying risks, and either accepting these risks or working out strategies to mitigate the risks.
I’m hoping this renewed focus on ESRM triggers new conversations amongst security professionals, and in turn begins deeper dialogues with executives in organizations regarding enterprise risks. Security professionals will soon see new material on how ESRM principles can be incorporated into a holistic security program, and how discussions with senior leadership regarding risks and risk treatment can be an amazing avenue for greater collaboration across the enterprise.
This program isn’t a panacea for the security industry, and it will not help resolve every risk facing every organization. On the contrary, this realignment toward ESRM principles and practices will have the opposite effect — more risks will undoubtedly be uncovered in organizations, and from different areas of the organization than typically addressed by a “stove pipe” approach to security.
Security organizations cannot operate in one or two silos, hoping to make their portion of the enterprise “secure.” Security programs cannot be successful if they only address a portion of the enterprise, and do not address risks from a holistic perspective. Throughout the history of this column, I’ve provided personal examples of what can go wrong with a risk assessment, or a security program, if you only focus on immediate issues, and don’t look at risks from a more strategic perspective.
We are entering into a new time for our profession. Recent headlines across the globe have documented what can go wrong when risks are not identified, or their potential impacts are not understood. From terrorist strikes to ransomware attacks to concerns about altering election outcomes, we were exposed to a variety of security events in the past few years. I believe we have moved into a new level of threat — the subtle threats to organizations that mask themselves as something entirely benign, but with the potential to critically impact an organization.
As ASIS International begins its journey back along the ESRM path, I am positive this journey is the right one for our profession to take. I also feel it is the right time, and that myself and other Board of Director members are fully engaged and supportive of this initiative for ASIS and its members.
We need to be engaged at a different level within our organizations, looking at enterprise level risks that require a collaborative approach to assess and understand the potential impacts to the organizations in our care. I think we have a chance to start making a real difference in our organizations if we can embrace the ESRM philosophy and approach.