Risk management and the security manager – a quick note

This post originally appeared on Quora in answer to the question “How does risk management fit in security risk management profession?” Link

How does risk management fit in security risk management profession?

Ideally, a security manager will use a risk management foundation for their security management system.  This will help integrate security risks into the organization’s understanding of its overall risk environment.  This focus also ensures that the security program is focussed on protecting the organization’s objectives which aligns with the ISO definition of risk:

Risk – the effect of uncertainty on objectives (ISO)

This focus on objectives is important as it moves security away from asset protection – which is where attention was directed traditionally – to ensuring that security efforts are properly aligned with the organization’s goals.

The security manager should be able to use standard risk management tools, techniques and processes when assessing their security risk.  Designing and implementing the appropriate mitigation measures will be threat and organization-specific – as it will be with every function in an organization – but the process followed should still mirror a standard risk management program.

Aligning security management with enterprise risk management (ERM) is a strategic objective of ASIS International, the professional organization for security managers. Developing an enterprise security risk management (ESRM) framework and mindset is a key focus of activity in 2018 which will enhance the support organizations’ get from their security management teams.  There is some trepidation around this and implementing an ESRM program will take some work but I think that a simple approach based on the core principles of ERM is very achievable and will drive significant benefits with minimum disruption. I wrote about implementing an ESRM program here for anyone interested in this topic.  

I started out as a security manager and developed a better understanding of, and appreciation for, risk management over the years.  Looking back, as my understanding of ‘pure’ risk management improved, so did my abilities as a security manager. So while not every risk manager is a security manager, every security manager should be a risk manager.


Good? Bad? Ugly? Tell me what you think.