I am the CEO of a risk, resilience and security company that is redefining the services required to provide a 360-degree view and understanding of an organization’s risk strategy, plan, processes and metrics. We are in the emerging Security Risk Management Services (SRMS) market.
At one time we were called an integrator or a Value-Added-Reseller (VAR). We were known by our program management methodology called the ASG Path to Value, our consultative approach to the organization and our engineering. Those qualities in themselves would have distinguished us. But one of our core values is innovation and change: our ability to adapt our organization to the dynamics of a changing risk landscape, an accelerated technology wave and the unique demands of a virtual managed services business model.
There are many inputs that we must receive and understand before we invest in innovation and change. Being invited into your suite has allowed us to understand your program in the context of your business as well as the unique challenges you face navigating the mission of your organization while helping you confront and mitigate those risks.
Because of those challenges, the emerging risk leader needs to harness the power of a network of service providers that understand Enterprise Security Risk Management.
If you ask enterprise security executives what their greatest concerns are, you won’t be surprised to hear that violence in the workplace, property theft, data loss and terrorism are at the top of the list. But you might not expect to hear that the economy, competition, long-term shareholder value and regulatory pressures also rank high.
As an enterprise security executive, you are recognizing that whatever security risks your enterprise faces, you need to collaborate across the business to ensure that the goals of the company are met while mitigating risk. This is Enterprise Security Risk Management (ESRM).
This is not to be confused with Enterprise Risk Management (ERM), which has typically been associated with the financial side of business such as credit risk and commodities-pricing risk. ESRM highlights the protection of assets and activities such as physical security, investigations, crisis management, business continuity and data protection. Any disruption in one of these areas could be harmful to an organization’s profit or reputation. And, unlike a physical security lapse, a bad trade is not likely to put an employee in harm’s way.
Between the moment you recognize the need to act and the moment you actually start to address the problem, there exists a knowledge and resource gap. This gap creates risk, impedes the time it takes to address risk and multiplies cost within the enterprise. This strategic gap has serious risk implications for any organization, but remains largely unaddressed by service vendors.
This gap also can dilute the leverage and significance of technology deployment. Technology can ultimately collapse the time-to-value of a security executive’s actions. But first you have to understand how your current people perform roles in a process using technology to adequately respond to risk conditions.
We are finding that ESRM provides the methodology, the philosophy, the language and the foundational values to create a culture of predictive and proactive risk management.
If translated to technology deployments, this provides the framework to articulate a clear roadmap for innovation and change that can cross any knowledge domain from cybersecurity and building management system security to physical security.
We believe it is critical to begin to track services and products against this framework. With metrics from our learnings, we can begin to understand impact as well as continuous improvement of each participating vendor who leverages the discipline of ESRM. So we would like to propose a name for this category of services: Security Risk Management Services or SRMS.
SRMS vendors would be subject to a scorecard to understand their ability to deliver on a segment of ERMS or act as the hub in orchestrating a program of services across the organization.
In my next column I will provide an example of how such a vendor would interact with a CSO and their team to move through a proscribed methodology for mitigating risk, driving organizational value and creating the context for a leveraging a new category of service vendors in SRMS.