Summarizing the State of Security Risk Management

Security professionals face several challenges as they build and implement security risk management plans, according to recent research from ASIS International.

A common barrier is that security professionals lack the organizational influence they need to deploy risk management effectively, according to The Current State of Security Risk Management: Benchmarks and Effectiveness Measures report, which was published in June 2024.

Security is commonly seen through the narrow lens of only being responsible for frontline security guards or monitoring surveillance. 43 percent of security professionals say the rest of the organization sees them as entirely or mostly tactical rather than strategic.

They also report that the senior security executive in their organization spends far less time on high-level, strategic planning than they ideally should.

In addition, significant security incidents can spill into each other where one situation cannot be resolved before the next one starts. This creates what one security professional described as a state of “permacrisis.” Three-quarters of security professionals experienced at least one type of significant security incident that impacted the organization’s operations, profitability, or reputation. Nearly one in five experienced four or more different types of incidents that had significant impacts.  

Security risk management is intended to avoid preventable incidents and design mitigations to manage negative consequences of the rest. Security professionals have several tools at their disposal to identify security threats, and they value all of them. Using internal threat assessment teams topped the list, with 85 percent saying it is a very important or critical tool. Building relationships with law enforcement and similar authorities and with peers in the same industry or region also rated highly, as did open-source intelligence solutions and information from education sessions and articles.

The good news is that despite the obstacles, risk management planning is highly effective in dealing with security incidents. Nearly half (48 percent) of security professionals said that their organization’s risk management plan both identified and helped the organization manage significant security incidents, and another 32 percent said risk management helped with at least some of the significant security incidents their organizations faced.

However, despite the successes, security risk management can always be improved. Half of security professionals surveyed said they experienced a significant security incident that they could have been better prepared for.

For more from the study, see The Current State of Security Risk Management: Benchmarks and Effectiveness Measures report, sponsored by LifeRaft.