In April, the CSO Roundtable of ASIS International released the results of a comprehensive survey of its members and of the ASIS membership. The survey was meant to demonstrate some level of understanding that the security industry has concerning the adoption of an “Enterprise Security Risk Management” (ESRM) methodology.
The survey, conducted in the fall of 2009, asked for information regarding at least the following areas:
- What risks were the most challenging?
- Where do organizational support for ESRM initiatives came from?
- Which business elements of an organization were included in ESRM?
- What was security’s role in the ESRM process?
- Who has ultimate responsibility for risk in the organization?
More than 80 Chief Security Officers, and more than 200 other ASIS members from around the world, responded to the survey.
One of the major findings from the survey was best expressed by Timothy L.Williams, CPP, Dir of Global Security for Caterpillar, and a member of the CSO Roundtable Advisory Board, when he stated, “We learned that traditional security issues are rarely the ones that keep security professionals awake at night; instead, risks such as database theft, network failure and economic problems are top concerns. We discovered that most CSOs and, indeed, nearly half of non-CSOs, are already deeply involved with evaluating and mitigating non-security risks in their organizations.”
Another survey result claims that CSOs reported the greatest non-security risk they face is the downturn of the economy, followed by business issues such as competition and regulatory pressures. More than half of the CSOs surveyed said they and their security departments were involved in researching, prioritizing, mitigating or evaluating these non-security risks.
Additionally, survey results also indicated that the vast majority of security professionals believe that excellent business management, leadership and communication skills—not security expertise—are the traits that will lead to success in ESRM.
If any of these questions listed above or results stated above appear to reflect similar behaviors in your organization or even a basis for how security standards are established in your organization, then please pass this information along to those internal information security and risk management team members or perhaps, outside security consultants, who are responsible for establishing and maintaining a level of enterprise security risk management most appropriate to your organization.
Click here to read the full report.