My Point of View: The Proof is in the Process, Not Just the Results

The evolution of true enterprise risk management over the last 10 years is reflective of how larger companies identify and mitigate organizational risk. As repressive global economies continue to shrink both security and risk departmental budgets, the threats facing businesses grow at an alarming rate. With that expanding threat landscape, the approach to mitigation continues to shift.

Since the Sept. 11 attacks, the overall context of global business has reshaped how security and risk are perceived. The emphasis has moved past technology solutions where the ultimate goal was to prevent or deter incidents, to more of a consultative tact. Mitigating risk in today’s business environment means helping C-level executive assess and calculate risk, then provide them enough data to make an informed decision related to the level of risk they figure the business can assume.

As security and risk managers aspire to business leadership positions within their organizations, it is incumbent on them to be visible leaders who create a deliberate strategy to run, grow and transform the business.

An informal survey entitled, What is the Top Security Risk to Your Organization, conducted in 2012 by the Security Executive Council, demonstrates how the psyche of CSO and CISO leadership has shifted from a reactive to a proactive stance where business alignment is concerned. There is an ownership of issues that in previous decades never touched the purview of security — risk management, business continuity management (BCM), compliance (audit), security and privacy.

The results are telling and definitely enhance the business profile of tomorrow’s security leader. While the top concern among 17% of the respondents dealt with IT system security —reflecting a data and information management control issue — providing business continuity/crisis management options (14%) and regulatory and compliance adherence (12%) ranked close behind. These three priorities provide the new roadmap for total business alignment, of which security and risk are a backbone.

A new Gartner study regarding the emerging face of enterprise risk management emphasizes how today’s security and risk professional must think of his or her mission in more non-traditional ways. According to the survey:

• The mission can no longer focus exclusively on technology — it must engage all controls, including behavior, process and technology.

• The mission can no longer try to prevent every possible threat; instead, it should prioritize risks to allow conscious choices by business leaders about what will and will not be done to address threats.

• The mission shall no longer be buried deep in IT; it has to understand the impact that IT risk and security have on business outcomes.

• The mission shall not depend on smart people who know what to do; moving forward it shall formalize programs with repeatable, persistent and measurable processes.

• Risk decisions are more complex and impactful than in the past. With instant decisions communication and processes, enterprises must act quickly and knowledgeably to both threats and opportunities.

• Risk and the accountability for risk acceptance are — and should be — owned by the business units creating and managing those risks.

• Transparency and defensibility of risky decisions are critical. Risk must be measured and addressed as part of the business process. All managers and leaders need basic risk management skills.

In a recent article in CIO magazine, Tim Erlin, director of IT security and risk strategy for nCircle, says that security and risk management professionals in 2013 are going to be asked to better measure the performance of their work: “The 2013 trend will be to shift away from risk management implementation and toward the measurement of the performance of those programs,” he says. “Performance management will allow faster, more practical evolution of risk strategies.”

That means in the future you will be judged just as heavily on the process as you will the end-result. Are you prepared?

If you have any comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at