How Your Influence Can Help or Hinder ESRM Maturity
Security is not considered a business enabler, and therefore security professionals have a constrained degree of influence in their organizations compared to general managers who work across multiple areas. This tough love was brought to you by the researchers behind the 2023 ASIS Foundation report The Influence of Security Risk Management: Understanding Security’s Corporate Sphere of Risk Influence.
“Organizational context affects how much influence a function has, and this is noticeable when security resourcing and implementation is mandated within a compliance-directed, regulatory environment,” the report said. “For instance, security screening of personnel is an accepted and standard practice because it is legislated and audited—there is a mandated and collective agreement of the importance, and therefore security has significant influence.
“The research found that when security risk management is not mandated as part of a regulatory framework, which is usually the case, security managers often deemphasize security risk management while prioritizing compliance-driven actions. This further reduces the influence security has in an organization’s risk management processes.”
The enterprise security risk management (ESRM) approach, though, flips that script by putting operational decisions about how to mitigate or accept risk in the hands of the asset owner and positioning the security leader as more of an internal consultant who can guide decisions that meet the asset owner’s needs and enable the business.
There’s a catch-22 in ESRM though: ESRM increases security’s influence in the organization, but security leaders need influence in order to advocate for an ESRM approach to risk management.
“The foundation report made it very clear that, currently, security is not seen as engaging with decision-makers,” says Rachelle Loyear, vice president of integrated security solutions at Allied Universal and a member of the ASIS North American Regional Board of Directors. “It’s seen as very operational, it’s kind of a technical activity. There are barriers in place that keep security from really having this professional level of respect that you would get in the legal department or something like that. Which is a shame because security is just as much about risk management as legal, accounting, and the risk team. In that same report, it talks about aligning risk management work to the broader organizational risk. It talks about risk models, it talks about engaging in business language, and that is ESRM.”
ESRM focuses on relationship-building, so that security leaders can liaise with asset owners to enable them to manage risk. The section of the ASIS ESRM Guideline about context includes mission and vision, core values, operating environment, and stakeholders, and an ESRM-aligned security program that accounts for these can better align the security professional’s goals with those of the broader organization, says David Feeney, CPP, PSP, a Deloitte Risk and Financial Advisory senior manager in the cyber and strategic risk practice and a member of the ASIS ESRM Community’s steering committee.
“It is that alignment that increases the influence of security in the organization, but also often positively changes the nature of that influence,” he explains.
“ESRM positions the security function as a strategic advisor to the business,” Feeney says. “Security professionals may adopt a more consultative approach to working with asset owners and other stakeholders—and security leaders may benefit from adopting a more strategic approach in conjunction with adopting ESRM. Experience working at executive, C-suite, or board levels can help develop and refine these skill sets.”
One of those essential skills is communication, which is integral to relationship management. The report on security influence identified language as a significant issue when communicating security risk messages. Not only are key terms used interchangeably—clouding the water around their meaning—but the use of jargon and lack of connection to business concepts can erect a barrier in understanding between security teams and their counterparts across the business.
It is not a board’s role to understand security, but security’s role to communicate effectively to the board.
“The ability to communicate the link between the operational nature of security risk to comparable strategic business impacts is the most effective means of gaining influence,” the ASIS Foundation report said. “Security professionals can achieve better influence by translating security risks into business language, using business metrics for senior decision makers and boards. Research participants noted it is not a board’s role to understand security, but security’s role to communicate effectively to the board.”
While security broadly lacks a degree of corporate influence, individuals can achieve high levels of influence through personal leadership, the report noted.
“In this case, the level of influence is a continuum dependent on an individual’s education and experience, personality facets including communication skills, and the organizational risk context in which they operate,” the researchers wrote.
Loyear outlines four key areas to improve executive presence with ESRM in mind:
Language. It’s a common pitfall—one that Loyear admits she falls into as well: the use of security jargon. “I speak security language, and it’s very, very important that you meet your audience where they are,” she says. It can be off-putting for your audience to sit through a confusing presentation full of terms and concepts they do not understand, which undercuts your message about trying to enable their success.
Business skills. These are often table stakes, Loyear says. You need to understand how to read a profit and loss (P&L) report. You need to understand how your request or program impacts the organization’s finances. “You are asking for money, but you can also give back in some way if you understand the broader financial picture,” Loyear says.
Trust. “You’ve got to have those business skills, but security is still very much a relationship business,” she says. “They have to feel like they can trust you. We talk about this a lot in ESRM—get to know your stakeholders. Don’t go tell them things but ask them what they do. Ask them what their needs are and what’s important to them, so that when you get to the point of needing to ask them for support, they don’t think you’re just there to use or scare them.”
Branding and reputation management expert Lida Citroën joins a two-day intensive workshop at #GSX2023 to help CSOs build nuanced communication skills and craft an authentic and effective persona in the C-suite. https://t.co/JX9sOgN0cc
— Security Management (@SecMgmtMag) September 11, 2023
Even in situations where the security executive really does have the answer, waiting and listening to the asset owner, trying out their solution first, and then guiding them to a better option can both build longer-lasting relationships and uncover unforeseen opportunities and options.
“In an ESRM environment, the asset owner is the risk owner, which aligns accountability for the asset with accountability for risks to the asset,” says Feeney. “It is important that decision-making authority be assigned to the party that is accountable for those decisions. At times, security professionals can be hesitant to give that decision-making authority to asset owners—however, this is a critical success factor for ESRM adoption. Organizations benefit with this shift in strategy as asset owners tend to lean in more on the consultative relationship with security professionals.”
Executive presentation. Consider joining an organization like Toastmasters or a different speaking organization to improve your presentation skills. At the very least, Loyear says, watch some TED Talks and collect tips on how to present complex information succinctly.
Executives “have very little time and very little attention span,” she says. “You’ve got to learn to narrow your focus and only speak to the points that are important at that executive level.”
Consider practicing your presentation skills by participating in security or business conferences, such as GSX. In addition, volunteer leadership gives security professionals the opportunity to speak with leaders at many different types of organizations and learn how to communicate in a way that connects with multiple audiences, Loyear adds.
Learn more about ESRM on the ASIS topic page here: ESRM (asisonline.org)
Consider using the ESRM Maturity Model Self-Assessment to see where your organization stand s here: ESRM Maturity Model Self-Assessment (asisonline.org)
Claire Meyer is managing editor of Security Management. Connect with her on LinkedIn or via email at [email protected].
