The enterprise security risk management (ESRM) approach, though, flips that script by putting operational decisions about how to mitigate or accept risk in the hands of the asset owner and positioning the security leader as more of an internal consultant who can guide decisions that meet the asset owner’s needs and enable the business.
There’s a catch-22 in ESRM though: ESRM increases security’s influence in the organization, but security leaders need influence in order to advocate for an ESRM approach to risk management.