Security Consultants See Shortcomings in the State of Security Risk Management
In ASIS International’s research study, The Current State of Security Risk Management: Benchmarks and Effectiveness Measures, sponsored by LifeRaft, survey participants who identified as security consultants or security vendors had the option to answer an alternate set of questions designed to gauge their perspective on the state of security risk management.
The two most interesting takeaways: First, the 92 participating consultants share their practitioner counterparts’ consternation that security leaders do not have more influence over their organization’s overall approach to risk management. Secondly, consultants have a somewhat dismal view of the state of security risk management in organizations.
All the findings from the consultants’ part of the study are presented here.
Security Leaders Do Not Have Enough Influence
There is a wide gap between what consultants observe as security’s role in an organization’s risk management function and what consultants think would be ideal. Overall, 53 percent said security should either lead risk management efforts or be one of the leading voices in the organization’s risk management efforts. Approximately one-third said security should have at least the same amount of influence as other departments. This compares to 96 percent who said they should either lead the effort or be one of the leading voices.
Security practitioners answered related questions vastly differently, but with the same general pattern: 73 percent said security was critical or very important to their organization’s overall risk management approach, and 94 percent said security should have a critical or very important role.
Consultants Say State of Security Risk Management Is Not Good
The consultants did not give a ringing endorsement to the knowledge and experience of the security professionals they worked with. They said one-third of the practitioners lacked an understanding of security risk fundamentals, 43 percent said practitioners had a grasp of the fundamentals, and only 5 percent said practitioners had an advanced understanding. The rest (20 percent) said it was too highly variable to generalize.
This lack of confidence was reinforced when consultants assessed the effectiveness of various components of security risk management. Asked to rate four different components on a scale from not at all effective to highly effective, only “identifying key assets” garnered even 40 percent of consultants rating it as either mostly effective or highly effective.
How Consultants Rate Threat Identification Methods
Consultants and security professionals rated threat identification methods remarkably similarly, with every method garnering more than half saying it was either highly important or critically important. The two most highly rated methods were nearly identical, after which consultants’ enthusiasm for the methods waned compared to their security practitioner counterparts.
Consultants’ Exposure to ESRM
What at first glance may seem like positive findings about enterprise security risk management (ESRM) might be a mixed bag.
The survey asked consultants two questions about ESRM: how important is it, and whether they use the ASIS ESRM Guideline in their work with clients.
On the importance of ESRM, one-third said ESRM is essential, and another one-third said that with organizational support it would make the security function more effective. One in five (22 percent) said it would be good for security to work to implement ESRM even with little or no support—which is something the guideline itself also expressly supports. The other 10 percent either think ESRM is a buzzword or fad (6 percent) or they do not know what ESRM or think it is not a good approach (4 percent).
On ESRM Guideline use, 38 percent put it to use in their consulting practice, with one-third saying they are not familiar with the guideline (leaving 29 percent who are familiar with it but have not used it).
This may seem like a high adoption rate for a product, but any enthusiasm for the numbers should consider how the survey’s methodology may have skewed the results. The survey was promoted primarily to ASIS members and customers, and it was described as a survey on security risk management. These two factors were bound to introduce a selection bias that oversampled consultants who would be familiar with ESRM and the ASIS guideline.
Scott Briscoe is the content development director for ASIS International. He served as the project lead for the research and was the primary author of the resulting report.