Overall risks are easier to manage if they are more consolidated and processes are shared within an organization. Are enterprise security risk management and security risk reporting processes catching on?
Organizations are continuously exposed to a host of evolving threats that create a multitude of security risks. Security professionals who view risks through defined risk management principles and processes are practicing enterprise security risk management (ESRM). ESRM has been identified as a global strategic priority by ASIS International, which has been championing the concept for almost a decade. Recently, ASIS and industry partners polled the market to measure ESRM engagement and how well it is taking hold.
The ESRM engagement poll was carried out in July 2017 in conjunction with www.AllSecurityEvents.com and leading Security Convergence/ESRM Specialist James Willison of Unified Security Ltd; Chairman of the ASIS European Convergence and ESRM Committee; SRVP of Deutsche Telekom Volker Wager; and Dave Tyson, CPP, from CISO Insights Cyber Security Risk Advisor.
The questions and results below provide interesting insights into the thinking that makes ESRM a significant new approach to security risks. See how your organization’s ESMR engagement compares:
Q1: Has the enterprise formed a security group or council to govern security risk and the security program?
Poll: 47% said yes, and 25% are developing one. Some 72% of the respondents have initiated an ESRM approach and are at different levels of maturity. About 28% have not formed a security group.
Q2: Do the enterprise executives and department or business function leaders understand the role of security as risk managers?
Poll: Some 64% of respondents indicate that enterprise executives and department or business function leaders understand the role of security as risk managers. ESRM programs that have been started and developed have a solid basis and much more likely to progress.
Q3: Do security teams collaborate to establish a security risk cooperative process to meet, discuss, and prioritize risks?
Poll: Interestingly, only 6% are not collaborating at all, while 92% meet with other areas of security risk and discuss risks with them. Moreover, 47% of respondents have moved further than just developing a holistic strategy and have teams not only meeting but also working in collaboration.
Q4: Does communication of security risk to management happen in a consolidated or holistic fashion?
Poll: 30% do not report risk in a holistic fashion, but 70% do so to some degree.
Q5: Do you have an information security policy for your physical security systems?
Poll: Only 11% said they had no kind of information security policy with 21% developing one and 68% saying they have an information security policy for your physical security systems.
According to poll responses, the results are optimistic. Most of the respondents are familiar with ESRM. One-half of the companies polled already are implementing ESRM across all dimensions. Over 70% of the respondents indicated that an ESRM strategy has either been initiated or is quite mature within their enterprise.
An overwhelming majority of respondents, at least 90%, are discussing security risks with colleagues in other areas of security. However, according to the analysts, it is critical that one-third of the surveyed companies have not defined clear responsibilities in their governance and do not understand the role of security and risk management.