Over 50 percent of CSO Roundtable respondents said the security department was involved evaluating and prioritizing risks that were not security specific.
Photo credit: Research from ASIS International CSO Roundtable
April, 7, 2010, Alexandria, Va. -- The ASIS International CSO Roundtable today released the results of its enterprise security risk management (ESRM) study based on responses of CSO Roundtable members and the general ASIS membership. The research examines enterprise risk management (ERM) from the specific risks related to brand protection, supply chain management, and physical and IT security, and found that excellence in risk management is often more about business management, leadership and communication skills rather than a specific security expertise.
The research also found differences of opinion on what constituted an enterprise security risk management strategy. Non-CSOs reported that business continuity and IT security were the primary risk to be considered in ESRM, with two-thirds noting business continuity planning and half indicating IT security. For CSOs, the numbers were somewhat different, with 60 percent of CSOs saying IT was part of risk management strategies and 52 percent indicating business continuity was part of risk management. Approximately one-quarter of CSOs said brand protection was part of the overall risk management strategy at their companies.
The research, which was conducted in 2009, also examined business management of risk and who "owns" the risk and whether the security department is involved in core business risk management planning. Respondents included more than 80 CSOs and more than 200 other ASIS members. Besides the surveying and benchmarking, the research included in-depth interviews with 11 senior security executives from some of the world's largest companies, where the subjects discussed risk management strategies and how those strategies impact their own firms.
"We learned that traditional security issues are rarely the ones that keep security professionals awake at night; instead, risks such as database theft, network failure and economic problems are top concerns," said Timothy L. Williams, CPP, director of global security for Caterpillar and a member of the ASIS International CSO Roundtable Advisory Board. "We discovered that most CSOs and, indeed, nearly half of non-CSOs, are already deeply involved with evaluating and mitigating non-security risks in their organizations."
The research has been released by ASIS International as a white paper (PDF download: Enterprise Security Risk Management: How Great Risks Lead to Great Deeds). The CSO Roundtable is a "dedicated forum for the senior-most security professionals from the largest and most influential organizations in the world."