The evolution of true enterprise risk management over the last 10 years is reflective of how larger companies identify and mitigate organizational risk. As repressive global economies continue to shrink both security and risk departmental budgets, the threats facing businesses grow at an alarming rate. With that expanding threat landscape, the approach to mitigation continues to shift.
Since the Sept. 11 attacks, the overall context of global business has reshaped how security and risk are perceived. The emphasis has moved past technology solutions where the ultimate goal was to prevent or deter incidents, to more of a consultative tact. Mitigating risk in today’s business environment means helping C-level executive assess and calculate risk, then provide them enough data to make an informed decision related to the level of risk they figure the business can assume.
As security and risk managers aspire to business leadership positions within their organizations, it is incumbent on them to be visible leaders who create a deliberate strategy to run, grow and transform the business.
With the landscape of risk mitigation evolving into a multi-disciplined exercise involving business units, IT and security, traditional systems integration firms like the Aronson Security Group (ASG) out of Seattle are taking bold steps to better serve the market by creating a separate Security Risk Management Services (SRMS) group within its company. Moving beyond its traditional systems integration and consulting offerings, ASG will provide research, assessment and strategic planning to end user clients and also work with technology vendors to help them better understand the market needs.
“ASG has been through every inflection point in this industry for the past 53 years. We have succeeded because we listen to what the market is saying and how it is behaving. For example security executives were saying that Value Added Resellers (VARs) place in the industry was to share information about the products they represented and then install them if the customer accepted the value proposition. But what they really needed as help in creating a program that was valuable to their company while mitigating the risks,” explains Phil Aronson, President and CEO of ASG., who had ASG define a scorecard for a next generation integrator back in 2005 so they could set an expectation in the market that CSOs should be identifying whether an integrator had a defined methodology for assessing the baseline requirements of the business and the security program before attempting to advise on technology.
“This would require a business process mindset. We asked the questions around how their people were performing roles in their core processes. How the program, the people and the processes were measured. And we did the same thing for their security technology architecture. And then the methodology had to be able to take that information and deploy in a highly optimized and measurable way. We called that the ASG Path to Value,” adds Aronson. “Now we are seeing security executives realizing that the risk strategy is sub-optimized because of the silos within their own company. A 360-degree picture of their program and the risk is needed. At the same time, they turn to their service providers and see a mirror image. So they have a conundrum yet to be solved. A new category of service provider must emerge. And so we evolve once again to meet an expressed and unexpressed need in the market.”
While doing their due diligence and research for this shift in the ASG profile, Aronson, and his two principals in this venture, William Plante and Wendi Walsh, considered the drivers that were forcing CSOs and C-suite executives to reassess their risk picture and response. When asking the question of “what keeps you up at night”, four responses were constants:
- We do not have the budget or the resources to hire all the subject matter expertise we need to drive to a 360-degree program.
- We need a process that helps us lead innovation and change in our people, processes, and technology
- We need measures of performance that help us continuously improve our program and that is meaningful to our business counterpart
- We need innovative new ways to deliver our services faster and cheaper.
As a former CSO, Ed Bacco, who is heading up the new Enterprise Security Risk Group for ASG, he is very familiar with creating metrics and assigning risk value to the C-suite.
“The number one risk at Amazon was the potential loss of customer data, which Jeff Bezos referred to as a “company extinction event”. So you could imagine that with the CEO/Founder setting that kind of tone, we took this risk extremely seriously to the point of obsession, which from our customer’s perspective, was a good thing,” says Bacco, the former global head of corporate security for Amazon.com. “Amazon, being a metric’s driven company, set a very high bar around measuring everything including the financial impact of risks, the investments into managing/mitigating risks and the effectiveness of the countermeasures.”
Alignment with the business values and drivers is certainly a critical element of managing risk at the enterprise level. Bacco admits that as the security professional has matured and aligned itself more with the risk side of the business, understanding who owns risk and how to react to threats remains a work in progress. That is one of the drivers for ASG’s approach.
“If you ask Security executives ‘who owns the risk in your organization’ many of them will respond like I did when I first became a manager by saying they do. But in reality, do not we own risks such as the loss of cash, a breach of contract with a compliance agency or even the safety of the work environment, these risks are most likely owned by the CFO, HR or Chief Lawyer. Aligning the risk with both its owner and with the business drivers, will increase the support of the security programs,” says Bacco.
But there is also no denying that technology migration and the move to more IT-centric security systems has also helped change the risk paradigm with an organization. Plante asserts that this convergence presents two distinct but similar pictures of risk.
“I think that IT and Physical Security Convergence has created more similarities than differences between risk and threat management than in the past. IT has, at least, two views of risk; IT-related risks as they pertain to the enterprise (for example, Insider Threats via IT assets), and they should share an All Hazards Risk View to the Enterprise. Historically, IT has both a preventative stance via the design of good Cyber Security via best practices and intelligence and the reactive capabilities as a result of network monitoring. The comparison of an InfoSec program and a PhySec program has strong similarities and some cross-over concerns. An Insider Threat is certainly a mutual concern,” says Plante, a 25-year security management veteran, and the former CSO of Symantec.
Plante also says that as the rapid progression of technology continues and organizations embrace more and complex solutions in the cloud and in-house, the threat risk increases. But taking a balanced approach to assessing and reacting to risk is crucial.
“Balance is an agreement between stakeholders and contributors as to what the balance point is. Complexity is a large number of simple things brought together, so managing risk related technology is an exercise of ensuring all the stakeholders have a clear understanding of their role and requirements, and to establish and maintain operational rigor over systems management,” Plante says. “So, for example, establishing SLA’s with the IT department for network and environment support, adopting the IT management practices that support enterprise applications are all recommended. Adopting a rigorous data, application, and network design for a physical security systems program via the enterprise InfoSec team is highly recommended.”
A recent Gartner study regarding the emerging face of enterprise risk management emphasizes how today’s security and risk professional must think of his or her mission in more non-traditional ways. According to the survey:
• The mission can no longer focus exclusively on technology — it must engage all controls, including behavior, process, and technology.
• The mission can no longer try to prevent every possible threat; instead, it should prioritize risks to allow conscious choices by business leaders about what will and will not be done to address threats.
• The mission shall no longer be buried deep in IT; it has to understand the impact that IT risk and security have on business outcomes.
The mission shall not depend on smart people who know what to do; moving forward it shall formalize programs with repeatable, persistent and measurable processes.
• Risk decisions are more complex and impactful than in the past. With instant decisions communication and processes, enterprises must act quickly and knowledgeably to both threats and opportunities.
• Risk and the accountability for risk acceptance are — and should be — owned by the business units creating and managing those risks.
• Transparency and defensibility of risky decisions are critical. Risk must be measured and addressed as part of the business process. All managers and leaders need basic risk management skills.
That means in the future CSOs will be judged just as heavily on the process as they will the end-result.