Skip to content
Menu
menu

Illustration by iStock; Security Management

ASIS Research Aims to Measure Security’s Evolving Business Role

The ASIS International Enterprise Security Risk Management (ESRM) Guideline says the ESRM approach seeks to transition security’s role from being a delegator to being a partner.

“In a delegate role, the security professional is a task manager who executes specific steps to implement security services as directed by the asset owner,” according to the guideline. “In a partner role, the security professional is a strategic resource to the organization with a more holistic viewpoint, providing information to help asset owners and stakeholders prioritize assets, assess risks, and select mitigation strategies.”

The ASIS Security Issues Research project, Understanding the Evolving Role of Security: 2025 Security Trends, sponsored by Resolver, sought to assess a number of issues, including whether security functions in organizations have made strides in becoming strategic partners in organizations or if security’s task manager role persisted. While there is room for continued improvement, the data shows clear signs that security has begun to shed the “guns, guards, and gates” tactical image in favor of being a more strategically valuable asset within organizations.

ASIS fielded the research project survey at the end of 2024 promoting it primarily to ASIS members and customers. Overall, it had 728 participants. Demographically, these participants were very similar to other research projects ASIS has conducted and are similar to ASIS membership demographics. However, note that because the survey was promoted primarily to ASIS members, that could introduce bias because members are more likely to be certified and are more likely to pursue professional enhancements through knowledge and networking than nonmember security professionals.

When asked if security was more of a business enabler or a cost center at their organizations, 61 percent of security professionals said security was either primarily or mostly a key business enabler. Only 10 percent said security was primarily or mostly a cost center, with the rest saying it was in between.

Asked how that changed during the last two years, 55 percent indicated there had been either a slight or strong shift toward being a business enabler, 37 percent it had not changed much, and 8 percent said there was shift toward being a cost center.

Those same security professionals were asked to gauge the perception the organization’s executives have on the business enabler versus cost center question. The number sank somewhat, but still 49 percent said executives viewed security mostly or primarily as a key business enabler. Twenty-five percent said executives viewed security primarily or mostly as a cost center, leaving 25 percent who said executives saw security as necessary but not central to the business.

Similar to the trend of how security professionals themselves viewed security, they said executives were trending toward seeing security as a key business enabler: 54 percent said there was a slight or strong shift in the last two years toward executives seeing security as business enablers.

0225-Trends-Chart-Perceptions-of-Securitys-Role-in-Organizations.gif

Domingo Ibarra is the director of security at Opportunity Home San Antonio, an organization dedicated to providing safe and affordable housing in the San Antonio, Texas, area. The organization has 600 staff and manages 74 public housing communities, and it provides housing assistance to more than 62,500 people.

“Having a seat at the table is my biggest difficulty,” says Ibarra, who reports to the organization’s chief operating officer. “There was a lack of understanding of what security really is. They did see us a cost center, and some of them called it a necessary evil.”

However, he was able to change the perception of security at his organization so that they do see the function as a strategic partner.

“It starts with building and maintaining trust,” he says.

One example Ibarra gives of how he built trust with other business units and the organization’s executives is getting involved with an organization called the National Association of Housing and Redevelopment Officials (NAHRO). He notes that Opportunity Home San Antonio’s leaders supported that association, and so he wrote articles for NAHRO that showcased how Opportunity Home is a leader in security best practices in the field.

Not satisfied with just asking directly about perceptions, ASIS also asked survey-takers questions about other characteristics to see if the findings would bolster the thesis that security was becoming more strategic in its position in the organization.

One such question asked security professionals to rate the importance 10 different factors had in security risk assessments. Included in the 10 factors were several highly traditional security factors, including “loss or theft of intellectual property” and the “cost of lost, stolen, or compromised assets (tangible or intangible).” All of the factors were rated pretty highly, but the top factor was “organization reputation or image damage” at 77 percent.

0225-Trends-Chart-Important-Factors-in-Security-Risk-Assessments.gif

“I think it is interesting because it’s a less traditional conversation for a traditional security department to be involved in,” says Brendan Monahan, chair of ASIS’s Crisis Management and Business Continuity Community Steering Committee. “What it suggests is that some of our security leaders and managers are swimming in new lanes… It’s a broader aperture than maybe a traditional security function that’s focused on investigation or physical security.”

He noted other factors that also scored highly, namely fines or citations for noncompliance of regulations or standards and impacts on the efficiency of operations, calling these areas “business enablement opportunities. …What matters most is you have to know the business and you have to know the strategy,” Monahan says. “We have a duty to do our independent assessments and bring forward objective findings, but they have to marry up to whatever the business is trying to achieve.”

ASIS also asked about the return on investment (ROI) of the security function. More than half of security professionals surveyed (53 percent) said they did measure ROI of security. Of those, only a third (34 percent) said they used quantifiable measures for ROI while 62 percent said they use qualitative descriptions of ROI.

It’s an important question because ROI is common way executives and boards examine the value of an organization’s projects and functions. The finding shows that more than half of security professionals are trying to communicate the value of security in a way that is comparable to other business units.

0225-Trends-Chart-Security-ROI.gif

“In the business sector, you’re working toward a vision, but it’s really tied to money,” says Larry Thompson, vice president of security for the Orlando Magic. “You quickly find out that value added is something that everybody is looking for. The challenge is how do you ensure that people understand that there’s value” in security.

As a vice president, Thompson is fortunate that he, as a security professional, has a seat at the table. But he also has to show he belongs in that seat.

“It is required of me to present a business plan,” he says. “Not necessarily to identify this is how [security] is going to make money for the organization, but to help people understand that security is important for us in so many different areas, that if we don’t do [security] in the right way, the business is going to suffer, and we may not even be able to operate.”

In this plan, Thompson relates security back to the other business functions, showing that security enables environments where those functions can thrive.

There is perhaps no idea more important to making security a strategic business asset than the idea of looking at the security function through the lens of risk. Security has always been about identifying possible threats and implementing strategies to protect against those threats. That will always remain a core function of security. But it is taking that next step of examining and understanding the consequences that those threats pose that takes security into the field of risk. Indeed, mature security risk practice will actually start by understanding the consequences. What are the worst things that can happen to a business asset? And then work backwards from there to analyze what threats could cause those things to happen, followed how organizations can most effectively neutralize or mitigate those threats.

This connects back to the ESRM Guideline: risk is critical to understanding and building security’s organizational value. Like ROI, risk is a concept other business functions use.

Much like the business enablement questions above, the research shows that security as a function has made significant strides in adopting security risk management.

One-third of security professionals said their organizations strive to practice ESRM or that security risk is fully integrated into the organization’s overall risk management function. If that sounds high, it probably is—remember that bias described earlier. It is plausible that those taking the survey had more advanced views on, and work toward, security’s strategic value.

Another 26 percent of security professionals said that while security risk may not be fully integrated into the organization’s risk approach, it is nevertheless one of several risk factors that executives factor into risk-based decisions. That leaves 41 percent who say either that security risk is generally only a security concern or that their organizations do not engage in security risk management.

“To me, the goal of security professionals is to guide the business through the security risk decision process,” says Gigi Agassini, CPP, an independent security consultant. “To do that, they have to go from tactical to strategic, and that is a complete change of mindset. If they focus on tactical tasks, then they are just a task manager, but they need to become a risk manager. And to do that, they have to understand, at a deep level, the business. …They need to understand what are the critical applications, the critical processes, and who is involved in those areas. This is the basis of ESRM.”

“There’s a difference between controlling risks and taking risks, and that’s risk tolerance versus risk appetite,” says Ibarra, whose organization strives to practice ESRM. “And once we are all using the same terminology, we’re in a position where trust is built. I’ve always said—change happens at the speed of trust.”

Other security leaders agree.

“I think a lot of security leaders think their job is to avoid risk, and that’s just not the case,” Macquarie Group CSO Wayne Hendricks said in a webinar discussing the research findings. “Our organizations make money by understanding risk and knowing… in an efficient way what risk you want to avoid and which risks you want to go and accept. That’s where the friction happens, that good friction that enables you to make money. Our jobs are to be able to articulate that risk in the context of our risk appetites in our various organizations or industries and then quantify that in a way that makes it easy for the business to accept the risk or to say ‘no’ in a cost–benefit kind of way. Now we’re becoming business people, and we’re starting to become those true enablers.”

ESRM may be an unattainable goal at many organizations. Let’s face it—a security director alone cannot unilaterally incorporate ESRM into organizational practice; the idea of asset owners being responsible for all risks associated with their asset, including security risks, is likely an incredibly novel idea at many organizations and could face resistance. However, with 41 percent saying they do not employ security risk management or that it does not affect areas outside of security at their organizations, it shows there is ample room for security’s continued strategic growth using risk as a way to engage executives and other business units.

0225-Trends-Chart-Trends-in-Security-Risk-Management.gif

Overall, the research shows both that security professionals understand the need to make security a strategic asset in their organizations and that they have met with some success in getting there.

“What I would suggest is that the cost center, ‘gates, guards, and, guns’ model—sometimes that’s how we’re perceived. My hope is that we as security professionals are describing ourselves as business enablers,” said William Tenney, ASIS CEO and former senior security leader at multiple organizations, in the webinar on the research. “As I sat in my role in the private sector, I had no interest in being a cost center. That’s not supporting the organization’s mission. It’s important for the advancement of the profession and for us as professionals to take” a business enabler approach.

“What I’ve seen [security] teams do effectively is leveraging your corporations’ strategies, [identifying] the risks and incidents they face and using that to have a conversation about how security can be that enabler,” Tenney continued. “The real world has an ugly way of intruding and disrupting companies and their strategies, and that’s when security has a great opportunity to step in and describe how we can enable the business to achieve organization success, grow sales, and drive the business.”

 

The full report on the research findings, Understanding the Evolving Role of Security: 2025 Security Trends, sponsored by Resolver, is available on the ASIS website.

 

Scott Briscoe is the content development director at ASIS International. He led the security trends research project.

 

arrow_upward