Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ColumnsManagementLeadership & ManagementSecurity Leadership and Management

Enterprise Security Risk Management…Culture Eats Strategy

By Wesley Bull
SEC0419-leadership-feat-slide1_900px
SEC0419-leadership-slide2_900px
SEC0419-leadership-feat-slide1_900px
SEC0419-leadership-slide2_900px
April 1, 2019

Enterprise Security Risk Management, or ESRM, seems to be the new buzzword across the corporate security ecosystem. Interestingly, any of us who have led its parent “enterprise risk management” (ERM) recognize “security” has been a component part of the enterprise risk management framework for well over a couple of decades, arguably more. Nevertheless, given the prudence of security leaders adopting an “enterprise-wide” perspective, there is renewed focus in this domain. Most security leaders are highly adept at the hard-skills aspects of administering a security program: policies, procedures, operational execution and technology among others. However, as you codify your enterprise security risk management strategy, are you giving the soft-skills elements their due attention?

Mention the name of the highly lauded management consultant Peter Drucker and many ears in the forest of leadership development immediately perk up. Drucker famously once said, “Culture eats strategy for breakfast.” This prescient warning was a signal to business leaders that corporate culture is far more determinative of success than the company’s strategic plan – and decades of abysmal mergers and acquisitions prove this. So what does this have to do with enterprise security risk management? Simply stated, because the same prescient warning also applies to the ESRM strategy in an organization!

I recently wrote an article for Security magazine entitled “Is Your Company’s Culture An Environment That Encourages Workplace Violence?” that explored the ostensible nexus between corporate culture, work environment and the increased potential for workplace violence risk. In it, I used the definition of culture offered by Harvard Business Review: “cultural norms define what is encouraged, discouraged, accepted, or rejected within a group”.

A more simple definition might be “the way we really get things done and do things in our organization”. Now apply this definition to your organization. What are the cultural norms in your organization? How do the realities of your cultural norms, not the ones espoused, define what is truly encouraged, discouraged, or acceptable, unacceptable?

Push beyond the hard skills stuff like execution of policies and procedures to realistically evaluate the norms of behaviors, people interactions, espoused corporate values: is there clarity on what is actually valued? Consistency? Accountability? Enforcement? Engagement? What about a commitment to improvement? The “softer” elements of cultural norms will be highly determinative of whether your strategy in enterprise security risk management has any hope of being viable.

While a CSO, I often said to my leadership team, “We can develop the best security strategy in the world, and if our culture isn’t going to let it happen, it will absolutely fail in its attempt at implementation”. I have personally experienced culture eating security strategy – and have the scars to prove it, despite prior success as a seasoned and diversely skilled leader.

If your company culture is one where non-compliance and non-enforcement of policies is the norm, do you really think your new access control or visitor management policy implementation is going to succeed? Probably not.

With the foregoing considerations in mind, an absolutely essential and preliminary element in developing your ESRM strategy framework is to begin with an audit of your company’s culture. At this point, you may be wondering how am I supposed to do that? On its face, such a task may seem daunting. However, in all probability, you are already in possession of all types of data and intelligence to quantify and qualify how cultural norms may eat your strategy!

Begin with developing an insiders approach within the security function by gathering data from your own sources: dashboards, operational metrics, incident and investigations data, technology issues and findings and beyond. Trend those out over a period; say a three-year historical lens. What trends emerge? What do all these data points tell you about the cultural norms? Are there hot spots – and if yes, where? Are people being held accountable for causing security issues, creating vulnerabilities? Does root cause analysis suggest that there is a lack of clarity in policy – or why a particular policy matters? All these data points serve to provide the leader with tangible insights on the cultural norms around security matters - which can serve to inform critical elements for developing out an ESRM strategy. From this, a leader can reasonably extrapolate likely areas of success and equally trip wires that will require greater attention to influence the shifting of cultural norms related to security.

As important is to conduct a broader scan of cultural norms. The former questions can be applied outside of the security lens. A great starting point can be obtaining all focus group or employee survey data from your HR business partners. Assessing the pulse of the organization from these data sets can be very helpful and serve as a reconciliation point for your own security culture data analysis. Do they align? Where are there disconnects? How might you solve for them and are those solutions even viable in the current environment? Which other leaders can help you influence a shift?

Taking the time to acquire and understand such cultural insights - and interpolating them with your security program planning – can be very helpful to the development of an ESRM strategy and making an early determination on whether your preliminary ESRM strategy may be eaten by your company’s culture. I look forward to hearing from our readers about your own successes, failures and insights.

KEYWORDS: security leaders security metrics security risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sec0419 leadership slide2 900px

Wesley Bull is the CEO of Sentinel Resource Group, LLC, a protection risk management consulting and solutions firm. Prior to leading SRG, his professional experience includes operational roles in law enforcement, public safety, special task force assignments within the US intelligence community and lastly serving as the chief security executive (CSO/CISM/FSO) for a private wealth management firm and global technology company.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Security Leadership and Management
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Officers at an event

The 2026 FIFA World Cup Will Test Security Operations Like Never Before

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Colorful laptop

Organizations Think They Know Who’s Visiting Their Sites. They Don’t.

Glasses in front of coding on screen

5 Ways Quantum and AI Will Rewrite the Rules of Cyberattacks

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • SEC0521-ESRM_Feat-slide1_900px

    Putting your faith in Enterprise Security Risk Management (ESRM)

    See More
  • CSO roundtable of ASIS International releases survey and white paper on enterprise security risk management

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • 9780367339456.jpg.jpg.jpg

    Cyber Strategy: Risk-Driven Security and Resiliency

  • Risk Analysis and the Security Survey, 4th Edition

See More Products

Events

View AllSubmit An Event
  • April 21, 2026

    The Blind Spot in Enterprise Security: Managing Workforce Risk Post-Hire

    ON DEMAND: Organizations monitor their networks and systems for risk, yet people with legitimate access are often the least monitored part of the model. Discover a Workforce Risk Intelligence Framework that adds a dedicated layer focused on workforce risk.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing