CISO Round-Table – Empowering the C(I)SO with Enterprise Security Risk Management
Enterprise level security management is becoming the indispensable, next generation approach to shaping the security function’s strategy, risk and compliance mandates; and an efficacious aid in avoiding control gaps by interlocking an enterprise’s security organization, people and processes.
As headlines in the news amply point to, such an approach commends itself to both private and public organizations. Hence, the management convergence of all security disciplines – cyber, information, physical, personnel, event, executive/board room/TSCM, travel, awareness and others – will be key in mastering today’s and tomorrow’s multi-vector and increasingly interdisciplinary security challenges. Pursuant to ASIS’ Enterprise Security Risk Management (ESRM) philosophy and best practice, the point of departure on the road to ensconcing a comprehensive security management system is an organization’s maturity vis-à-vis the ESRM approach and the convergence of security disciplines that lies at its core. For not only are organizations likely to open up new attack vectors between the figurative cracks of individual security disciplines in, at times, quasi-autonomous silos, but are the driver in the creation of an undue imbalance between individual security disciplines. Such a state of affairs also has demonstrably created new attack surfaces for internal and external adversaries. In Switzerland and other advanced economies, it is typically highly mature IT-security functions that exercise their mandates adjacent to, and relatively ignorant of, other security disciplines, the existence of which they may have only noted on their respective organizational chart. This ubiquitous imbalance between security disciplines in silos, and of at times wildly differing maturity levels between, and complete lack of coordination amongst, themselves, offers uncounted opportunities that can be exploited by a perturbing array of malicious actors.