Finally, acceptance

We react to situations and develop solutions to return our operations back to normal. Identifying remediation strategies within an Enterprise Security Risk Management (ESRM) program is similar, but it takes us out of our security comfort zone and into the business realm.

This means that our previous experience regarding risk remediation must change, and we must embrace the objectivity of ESRM. And in some cases, we’re going to have to let our fears go and let our business leaders accept the risk. That’s going to be very difficult for many security professionals to accept. Our role in ESRM is to be a trusted advisor, offering objective information regarding risks facing our assets. We need to remove ourselves from the mindset that we have to “fix” something.

I’ve had personal experience with this change in mindset, and it’s been both positive and negative. Early in my career, I was very passionate and sometimes a bit outspoken with my thoughts about a risk assessment. I remember being very upset that my thorough risk assessment didn’t seem to garner the same interest from senior leadership as opposed to my fellow security professionals. I hadn’t yet embraced the concept of trusted advisor, and believed that security was here to help solve all the problems facing the organization.

I hadn’t yet figured out that our role, in this latter stage of the ESRM lifecycle, is to provide objective, business-focused suggestions to remediate the identified risks. Security professionals do not accept these risks, nor develop individual projects to begin remediation. The goal of this ESRM phase is to collaboratively assess options available to the business to remediate the risk. And, in some cases, the risk may be accepted by the organization — something security professionals are slowly learning to embrace.

As my career matured (and thankfully, me along with it), I began to understand the value of collaboratively developing remediation plans with the business units I was working with. We need to move out of our security role and appreciate the business aspects of risk remediation. Sometimes, organizations will commit funds to reduce the risks. In other cases, the risk activities may be deferred if they’re posing an unacceptable risk to the business. And, in a few cases I’ve been part of, the risks are acknowledged and accepted because the potential reward is worth the risk.

This was one of the hardest lessons I learned during my career — when we come up with options to deal with risk, one of the options is to accept the risk. For me, this became a transition point in my career. I moved away from developing purely technical or security based solutions to solve a risk problem, and began developing joint opportunities with business units. I began to appreciate that others have a part to play in identifying remediation strategies — it’s not just security that has a say in the process.

We don’t have to lose our passion or resolve to continue protecting the assets of our organizations. Those strong feelings give rise to some amazing and ingenious ways of remediating risks. I’ve watched members of my team find creative solutions to address complex risk scenarios at the same table with finance, legal, HR and business team members.

The principles of ESRM, particularly in this phase, can positively affect the process of identifying options to remediate risks. Keeping an open mind, collaborating with diverse team members, and identifying strategies are all part of the ESRM process. I wish I had followed this approach sooner — I could have avoided some grey hair.  

Tim McCreight is the director of strategic alliances at Hitachi Systems Security.