At this month's
ISACA Information Security Management Conference, I sat in on the "Convergence of Security and Enterprise Risk Management" panel dedicated to this topic. Panelists were Ron Hale, ISACA Director of Information Security Practices, Jeff Spivey, past president of ASIS International and Director at Security Risk Management, and Mark Leary, Director of Information Assurance at Northrup Grumman.
Enterprise Risk Management (ERM) remains an evolving concept with a wide range of interpretations that largely depend on the implications of risk in different industry sectors.
The first challenge is to define the scope of ERM. Many current programs address only four types of risk:
- Operational
- IT security
- Regulatory/Compliance
- Business Continuity
(For a description of a taxonomy of Risk Management see this
report from the Alliance for Enterprise Security Risk Management, published in 2007.)
But, this model of risk ignores some others that may be very important to consider in the enterprise (e.g. Geopolitical, Reputational, Market, Liquidity, etc.)
ERM requires a shift in thinking, one that moves risk management from a functional, technical orientation toward a more business-oriented approach to risk management.
This directly impacts the future of the CSO. Security is no longer just an issue of protecting corporate resources ("keeping the bad guys out"). Security has a role to play in supporting growth by improving risk management related to growth activities such as entry into new markets, establishment of new alliances and the adoption of new business models. Let's look at a couple of quick examples to see the impacts of security on enablement of new business.
First, a robust and flexible Identity and Access Management solution can help make M&As easier to do (because merging of IT organizations is much easier if management of users is centralized in comparison to many, distributed silos of user management). It can also automate and streamline some basic IT processes such as user provisioning, thereby making it much easier to grow these IT processes as the size of the company grows.
Second, identity federation can help create a secure environment to develop and deploy complex partner eco-systems, which themselves can help create new opportunities for revenue growth.
These are just two examples of how good IT security can help grow the business. Therefore security professionals need to expand their horizon for the impact that their efforts have on the overall organization, and to always leverage their security expertise for the betterment of the business. Consequently, there is a need to prepare security professionals for new roles, heightened responsibilities and an expanded mastery of complex business risk management.