No one knows what to make of ESRM. The Enterprise Security Risk Management philosophy had been lurking on the periphery of mainstream security practice since the early 2000s, when ASIS International, ISACA and ISSA created the Alliance for Enterprise Risk Management. That group generated a few reports then fizzled out.
ASIS picked up the mantle again several years later, when the CSO Roundtable (now CSO Center) published a white paper and survey results on the topic. Some thought leaders published articles on ESRM and a book even emerged. Still, it didn’t stick.
In the summer of 2016, ASIS took its boldest step yet, forming a Presidential Commission that created the apparatus for embedding ESRM into ASIS’s standards and guidelines, programming, content and, eventually, certification. (Full disclosure: I was the ASIS staff officer responsible for ESRM.)
Among ASIS’s accomplishments since that time was the creation of an ESRM guideline. Outside the walls of ASIS, Brian Allen and Rachelle Loyear addressed the dearth of ESRM literature by publishing an extensive overview of the topic as well as a hands-on practitioners guide. And a group of ESRM pioneers and stalwarts stood up a small association called the Global Security Risk Management Alliance.
It’s been five years since ASIS recommitted to ESRM, but the results are still murky. How do security professionals feel about ESRM? Is it the holy grail, an unrealistic aspiration, another name for current practice, or somewhere in between? To what extent have organisations bought into ESRM and what has hindered those that haven’t?
Spurred by an invitation to debate ESRM in a webinar sponsored by The OSPAs (Outstanding Security Performance Awards), I developed a brief survey and made it available to senior security professionals around the world. I presented some of the results on that webinar, but I provide more detail and analysis in this piece.
As a refresher, ESRM is both a philosophy and a management system preaching that security issues should not be stovepiped. It is a risk-based approach to holistically managing organisational security risks through accepted risk principles. ESRM embraces all aspects of security risk: physical, cyber, information, loss prevention, threat management, resilience, fraud, brand protection, travel safety and so on.
In 15 or so years of being involved with ESRM, I heard the philosophy lauded and maligned in equal measure. Where does it stand today?
Based on the 88 responses to the survey, security executives overwhelmingly support ESRM. Asked about their perception of ESRM, 40% responded that it was very positive, 36% said it was positive and 10% felt somewhat positive. That’s 86% with a sunny view of ESRM. 9% were neutral, a scant 3% were somewhat negative and a vanishing amount, 1%, were very negative.
This comment by a respondent encapsulated many of the reasons for the enthusiasm:
“First, through ESRM, security has a seat at the table and security risks are alongside with other risks considered similarly relevant. Second, ESRM fundamentally challenges “the way things have been always done around here.” It also challenges security professionals to take a more business-enabling (rather than inhibiting) stance and learn the risk management principles and toolsets. Finally, ESRM places security where it always should be: an advisory function like HR or Legal.”
Multiple respondents cited silo-busting as one of the key features of ESRM—in essence, the difference between security risk management and Enterprise Security Risk Management. A retail CSO, for instance, described ESRM as an effective way of managing business risks companywide. That includes creating awareness, generating feedback and soliciting contributions from throughout the organisation.
News is more mixed when it comes to whether security executives actually implement ESRM. Only 14% of respondents said that they had a formalised holistic risk management program that they referred to as ESRM. At the other end of the spectrum were the 10% who said they don’t use ESRM at all. The vast majority fell in the middle: 62% said they practice many of the principles, but don’t refer to their approach as ESRM. Within this majority, optimism and frustration appeared in roughly equal measure. Many respondents acknowledged various challenges.
A security executive in the retail industry crystallized the frustration of many: “Nothing valuable has been done with what was a fantastic theory.” That person continued: “It’s very disappointing how industry leaders totally dropped the ball on communicating and incorporating this.”
Perhaps the most devastating response came from the security director at a financial services company: “I once raised ESRM with our CSO. He laughed. Told me he’d never waste time trying to sell it to business leaders and it didn’t benefit his mission.”
As the last comment indicates, the business element of ESRM often proves elusive. Risk managers tend to have business backgrounds while security professionals do not, one respondent argued. As a result, security often gets subsumed into risk management.
Some ascribe this business-acumen deficit as a consequence of the predominance of law enforcement and military in the profession. “Many CSOs are former law enforcement who lack the skills or motivation to clearly delineate risks for the overall business and define what the security organisation is for that business,” one respondent observed.
Though surveys show that the percentage of security professionals with business backgrounds is increasing, the pace may be too sluggish. The traditional security mindset also resists change. “We’re not recruiting a sufficient diversity of practitioners or investing sufficiently in on-the-job training to bring the broad range of skill sets into security that we require,” contended an academic who is recognised as a thought leader in security.
The financial services security director was even more forceful:
“I do not see any input from actual business leaders from outside the security industry into the process and do not see actual business leaders supporting it now. It does not address the fundamental challenge that the industry faces, which is being consistently valuable to business leaders which can only be addressed when security professionals start to think and act like business professionals.”
Lack of clarity
Another issue is that even experienced professionals still conflate ESRM with related concepts such as convergence, resilience and enterprise risk management (ERM). One respondent bristled at terminology used incorrectly or interchangeably depending on the person. As another respondent put it, “ESRM is unclear and obscure for many security professionals.”
And although ESRM has been around for two decades, some say it’s still in its infancy. Many security practitioners view ESRM narrowly and operationally. As one respondent put it: “They equate it with some subset of the toolkit, such as site audits. A mature view of risk is lacking; that is, consideration of ‘what might happen’ and how that will impact the decisions we make.”
Other critics deliver more focused critiques. They say that security lacks the clout to be the major player in risk management, that business owners are loath to literally sign off on risk measures, or that security, rather than a particular business unit, should own risks.
Still, there’s plenty of hope. ASIS continues to deliver ESRM-based content and to embed that philosophy into its DNA. For example, the group working on the next iteration of the Chief Security Officer standard is incorporating elements from the ESRM guideline. And ASIS’s conferences remain replete with ESRM sessions.
Plus, ESRM has plenty of advocates. “It’s the best way to demonstrate to the C-suite that security is an enabler,” said the CSO of a nonprofit. Added a security executive at an insurance company: “It is a simple and professional way for security leaders to organise their programs and elevate them to leadership.”
ESRM’s fate may be that it suits some organisations and not others. As the CSO of an energy company put it, “the success of a sound ESRM program is directly dependent on the culture of the organisation and the buy-in from executive leaders.”
By Michael Gips, JD, CPP, CSyP
You can connect with Michael on LinkedIn here