A challenging economy, natural disasters, and technology-borne threats have dominated the news in recent years. The global nature of risk and the consequences of a security breach to a company’s intellectual property, brand, information technology, or physical assets, require security professionals to apply their craft to identify and mitigate security risks.
But is it enough? How can we get the support of leadership to move to action and make risk mitigation a priority? The answer, I believe, lies in expanding our traditional physical security perspective to a broader understanding of our role across the enterprise. We need to work more collaboratively with the various business units in our organizations to understand their business goals, help them assess their risks, and cooperatively construct a cogent, business-focused risk management case, presented in compelling business language, that aligns security investment to risk reduction.
Traditional security risk practices have matured, and efforts to standardize the risk assessment process are underway now with ASIS and RIMS jointly developing an ANSI Risk Assessment Standard. Security managers today increasingly use regular risk assessments to justify their security programs. Skilled practitioners who are able to quantify risk and clearly link business enabling solutions to the protection of priority assets will enhance the Enterprise Risk Management “ERM” equation and be increasingly able to secure a seat at the decision-making table.
What does this mean to ASIS and our 38,000 members?
If you are looking to gain greater buy-in for your security program, you must engage your company’s various business units to accurately identify relevant risks to the organization, as well as their likelihood and potential impact. It’s also important to convey concepts using the language of the business. ROI, due diligence, and framing terms in language understood by MBA’s, CPA’s and lawyers, is important because it links business objectives to a security strategy. It’s this ability that will increase security’s organizational relevance. Potential outcomes include:
Optimizing security spending on those risks that are beyond the mandatory compliance baseline and which are identified as critical to the business
Aiding the business by facilitating decision making that optimizes security investment
Making security a strategic competitive advantage for your company
Framing executive briefing information in terms of its relevance to the enterprise
ASIS is working to form a methodology that overall will benefit the security management profession. More details will be available in the months ahead.
In the meantime, I encourage you to take the time to really understand the particular business you are in. We often think we are in the business of security. That’s our profession – the craft we practice. However, it’s incumbent upon each of us to better understand our organization’s mission and vision and how we contribute to its success and bring value to the bottom line.