The journey toward a risk-based perspective

I’ve presented at a number of conferences, built and run a company focused on ESRM, and became the Board sponsor for ASIS’ global ESRM initiative. Along the way, I’ve come across some truly dedicated security professionals who are really embracing the concept of designing their security programs to support business objectives by identifying risks to assets. These have all been small steps on a very long journey. And while they are positive milestones, there is still some reluctance to implement a security program focused on reducing risks instead of simply ticking compliance boxes.

I’m trying not to be frustrated by this observation. I realize it’s hard to shake decades of thinking and focus energies on identifying risks instead of buying more gear to complete a task. I know it’s difficult to ask security professionals to identify mitigation strategies and seek executive acceptance instead of arguing for more budget based on fear, uncertainty and doubt.

There are still many roadblocks to face when trying to implement a risk-based security program in organizations. I’ve heard comments ranging from “We already do this,” to “Why do we need another framework?” and my favourite, “This is too hard for our leadership to accept.”

Why is this journey so difficult? Why are we having such a tough time selling the benefits of a risk-based program inside our own organizations?

That’s a great question, and one I’ve been trying to answer for many years. Maybe it’s because there isn’t enough empirical evidence to support the claims that an ESRM program can reduce overall security program costs. Maybe the idea of letting go of ownership of risks frightens some security professionals because they see this as an abdication of their perceived role. Maybe security professionals aren’t yet at a level where they can confidently translate the links between business objectives, assets to achieve these objectives, and risks facing the assets. Maybe our organizations don’t want us to remind them of the risks they’re facing because they would actually have to do something about the risks — including accepting them. Maybe the idea of formally documenting risks and then having an executive team articulate their risk appetite isn’t going to happen in some boardrooms.

Whatever the reason, developing and implementing risk-based security programs appears to remain the exception, not the rule. The majority of organizations I have been introduced to over the years seem to validate this statement, and continue to frustrate the security professionals tasked with protecting the organization’s assets. The frustration grows if the security professional has embraced the philosophy of ESRM, and can see the direct benefits of implementing a risk-based, business-focused approach to security.

I want to engage this audience, and ask for your help to motivate others. I want you to think of times you were able to use some of the concepts from this column to help reduce the risks facing your organization. I want to hear about your struggles and your achievements regarding a risk based approach to security.

We need to capture the collective knowledge of the security profession, and to hear from those in the trenches tasked with building and implementing security programs based on risk.

Reach out to me through LinkedIn, Twitter (@Tim_McCreight) or email (tmccreight@obsglobal.com). Let’s start a dialogue, and see where this goes. It’s time to rewrite our story.  

Tim McCreight is the principal consultant for Online Business Systems (www.obsglobal.com).

This article originally appeared in the July/August 2018 issue of Canadian Security.