Run a Google search on "risk" and you will come up with an impressive number of results - almost a third of a billion hits. But when you start paging through these results, you will see that the lion's share of the hits focus on financial risk (as well as a popular board game), while very few of the results look at the types of risk that security professionals are responsible for identifying, prioritizing and mitigating on a daily basis.
In fact, the word "risk" has been almost entirely appropriated by the financial world, and even the inclusive-sounding "enterprise risk management" (ERM) focuses largely on investment and other financial matters. While these are certainly important, they do not include the wide range of security threats that imperil our organizations. The chief security officer of a pharmaceutical company, interviewed by the CSO Roundtable of ASIS International, for example, explains that his company had a risk management team that "wasn't addressing things that could affect our reputation, such as quality management, counterfeit brand products, bribery and corruption." This leaves us all vulnerable and with a false sense of security. And this CSO's experience was no anomaly.
But things are starting to change for the better. The CSO Roundtable did a survey and a white-paper study of enterprise security risk management (ESRM) - a holistic view of security across an entire enterprise-and found that the CSOs of some of the world's largest organizations were taking the lead in ESRM programs. In other words, they identify a wide range of risks - including physical asset and employee protection, emergency preparedness and planning, business continuity, the loss or theft of data, as well as reputational risks - and raise them to the same level of urgency as core "business" issues. They do this by leading cross-divisional working groups that include leaders from all departments.
These ESRM initiatives have had remarkable benefits for the organizations that implemented them. Some respondents to the Roundtable survey said that their ESRM programs helped their companies establish priorities and become more proactive in the face of risk; some said that their organizations ran more effectively because these working groups helped ensure that there was no duplication of effort among departments. Some respondents even called their ESRM initiatives "business differentiators" that distinguished them from competitors. There were personal benefits, too. Executives involved with these initiatives learned more about their businesses and how things were done in other departments, positioning themselves as strategic players. Those are lessons that are important for any executive's career.
That the Roundtable study showed that C-suite support was strong or even passionate for these kinds of holistic risk initiatives is proof that business leaders are becoming cognizant of the importance of security when considering the threats to their organizations. It also showed that ASIS International needs to continue to lead the industry toward ESRM.
Several of the CSOs interviewed for the ESRM white paper will be on hand at the ASIS International 56th Annual Seminar and Exhibits (Oct. 12-15) in Dallas this year. On Wednesday, Oct. 13, from 11:00 a.m. to noon, these CSOs will discuss the importance of ESRM and how they helped create and implement their ESRM initiatives. This session will provide a great opportunity to learn why - and how - you can get your own ESRM programs under way.
When looking at risk holistically, it is clear that physical security has a great many overlapping concerns with information security. That's why ASIS is building partnerships with groups such as (ISC)2, the Information Technology Sharing and Analysis Center (IT-ISAC) and the Information Systems Audit and Control Association (ISACA). Those groups will join forces with ASIS to co-brand sessions at Seminar.
The sessions from (ISC)2 will look at controlling access to sensitive information in a secure environment (it will also feature representatives from the International Association of Privacy Professionals as well as a member of the CSO Roundtable); device tracking at the enterprise level, an exploration of the security challenges posed the use by criminals of device-tracking tools; and the importance of gaining a global perspective of security.
Managing remote and third-party access to networks is the focus of the IT-ISAC session. Via case studies, this session will examine the challenge of securing corporate networks while providing access to those networks to untrusted individuals such as contractors. ISACA sessions will look at how governance and management work together as well as how to create a strong business model for information security.
The hot topic of cloud computing is another area in which ASIS is increasing its involvement. The Cloud Security Alliance will join a Friday morning panel session at Seminar to examine the challenges of cloud security. And the ASIS Physical Security and IT Security councils have collaborated on an in-depth white paper that describes how cloud computing will affect physical-security professionals; they followed up with a well-attended Webinar that brought new perspectives to cloud computing.
It is important to remember that security does not own risk any more than the finance department does - or for that matter, any more than the legal department and various other departments do. Risk is something shared throughout the organization, and it should be clear that security executives cannot afford to ignore the financial risks that their organizations face. That's why ASIS will be partnering with the Risk and Insurance Management Society (RIMS) as well, creating a collaboration that highlights the importance of ESRM. As with our other partners, we will work together with RIMS to create educational and training opportunities that will ensure a holistic view of risk becomes the norm, not the exception.
These collaborations could not be more important to the security profession; nor could they be more timely. After all, the severe economic downturn and the spate of natural and man-made disasters we have seen just over the past few months should remind us that no one owns risk - everybody does.
