Maturing to resilience

Over the past nine-plus years, I’ve been writing about using a risk-based approach to develop enterprise security programs.

The concepts of Enterprise Security Risk Management (ESRM) are more commonplace, and organizations are embracing the philosophy that the security department is in place to enable the success of the business.

I’ve seen the introduction, reluctance, acceptance and now growth of ESRM across a variety of industries. Conferences now have tracks dedicated to risk-based security topics, and ASIS recently released its 2022 State of Security Management, highlighting that ESRM is alive and well across the security profession.

This year, I’m honoured to be the president of ASIS, and I’m grateful to see the growth and acceptance of ESRM and the concept of assessing risks facing an organization. ASIS published its ESRM Guideline in 2019, creating a common understanding and foundational approach to designing and deploying a security program based on ESRM.

I’m happy to have played a part in some of the amazing growth of ESRM, and feel very proud to know many of the security luminaries who continue teaching and coaching other security professionals on the philosophy. As I look into 2023 and beyond, my sights are focused on the next level of maturity for security professionals — the concept of resilience.

The 2023 ASIS Europe conference focused on that as well and I’m fortunate to have attended as ASIS president.

I feel this is the natural evolution of the security profession. We’ve gone from being siloed and dedicated to tasks, to considering converging departments, to now focusing on security risks facing our enterprise.

We’ve elevated the perception of security from “the department of no” to “how can I help?” Our presentations at the executive and board levels now routinely deliver security risks facing the organization — along with recommendations to remediate — and requesting our executives to make a business decision for a security risk. This is such amazing progress during a relatively short period of time…well, if you consider the length of my security career short!

Now I feel it’s time to look ahead one more time, and consider the concept of resilience. It’s incumbent on organizations to understand the concepts of resilience, and how boards and executives must now develop their own approach to weathering the next storm. Security organizations can play a critical role in helping their entities survive and thrive during the next crisis – and so many are on the horizon.

We saw during the COVID pandemic how successful organizations were able to pivot and adapt to changing circumstances. Whether it was impacts to their supply chains or sending employees home, organizations reacted and grew during turbulent times. And they relied on their security departments to be part of those plans.

In future columns, I want to explore the concept of resilience and how security teams play a crucial role in helping their organizations continue to grow. I’m looking forward to taking this journey with you – I know we’ll all learn and grow along the way.