THE INFLUENCE OF SECURITY RISK MANAGEMENT | KEY FINDINGS | OVERVIEW AND RECOMMENDATIONS
Key Findings from
THE INFLUENCE OF SECURITY
RISK MANAGEMENT
Understanding Security’s Corporate Sphere of Risk Influence
Funded by
OVERVIEW
AND RECOMMENDATIONS
The 2022 study investigated the complex issue of the level of influence that security risk
management holds within the corporate context. Security risk management has a long
history and broad acceptance as an essential organizational activity for achieving busi-
ness objectives. However, the degree of decision-making influence achieved by security
professionals is poorly understood, with many corporate security managers and execu-
tives anecdotally reporting low levels of corporate influence in managing security threats.
Consequently, this study undertook a research-informed approach to the question of
corporate security’s current sphere of risk influence to establish an initial understanding
of the influence security’s risk message has across various organizations.
The study objectives were to identify professional barriers to achieving effective influence
and uncover recommendations that may assist security professionals achieve stronger
risk influence when advising corporate decision makers. Researchers anticipated that
study participants would provide narratives expressing initial barriers encountered to
influence, and how they overcame them to achieve robust influence. What emerged was
a clear narrative that corporate security lacks influence outside of environments where
security is mandated, and when security is legislatively mandated, it operates on a more
compliance focus of practice rather than as a valued risk reduction business enabler. The
study found that security risk management has a technically focused, narrow sphere of
corporate risk influence, and uncovered key findings impacting security risk manage-
ment influence, including the key requirement to identify, understand, and integrate into
the organizational risk context.
1
� THE INFLUENCE OF SECURITY RISK MANAGEMENT | KEY FINDINGS | OVERVIEW AND RECOMMENDATIONS
RESEARCH APPROACH the SRM professional? and How can SRM more
effectively influence corporate decision making?
This report is the result of a literature review of The focus groups uncovered the experiences of
organizational management publications; a industry professionals and organizational execu-
comparative analysis of risk management stan- tives, identifying the disconnect between pro-
dards, guidelines, and instruments; and 11 focus fessional reality and best practice as described
groups where corporate professionals across the in the literature and professional standards. The
world provided insight into the findings based focus groups compared, discussed, and analysed
on their own experiences. what security should be, what it could be, and
what it actually is, highlighting the limitations
The literature review interrogated seminal man- and barriers to security risk influence as well as
agement, socio-organizational and security and opportunities for enhancement.
risk management texts to respond to the question:
What management theories are relevant to the
positioning of corporate security within the organi- KEY FINDINGS
zational setting? The literature review provided the
framing for what security risk management should FINDING ONE: THE SPECIALIST VERSUS
be according to seminal management theories. THE GENERALIST
The comparative analysis of the risk management Security is a technical, specialized activity, resulting
standards, guidelines, and instruments investigat- in lower influence than broader generalist activ-
ed structural and thematic similarities and differ- ity managers. As an area of technical specialized
ences between the differing types of standards, activity, security is considered a business enabler.
allowing for a thorough understanding of how This specialization means that at a corporate level,
the standards work, their focus, and their appli- security has a constrained degree of influence
cation. Asking the question: What is the current when compared to general managers who work
published approach to SRM? and building upon across multiple business activity areas and demon-
the findings from the literature review, the review strate higher degrees of business influence. While
of the standards highlighted what best practice security’s operational activities span the organiza-
could be. However, the thematic analysis also tion, its risk management diagnosis activities are
revealed the limitations of these tools. siloed, therefore giving an impression of broader
influence than it achieves at senior decision-mak-
The 11 focus groups consisted of 25 internation- ing levels. The study found a disconnect between
al security and risk professionals and corporate the literature and the industry perception of the
executives. The professionals interviewed includ- organizational positioning and subsequent influ-
ed past and present CEOs; CISOs; CFOs; CROs; ence levels of organizational security.
facilities managers; security managers; project
managers and consultants; security and nonse- FINDING TWO: ORGANIZATIONAL
curity consultants; and government engineering LEADERS SEE SECURITY AS AN
and security consultants drawn from around OPERATIONAL RISK CONCERN, WITH
the world and from varying managerial eche- LIMITED STRATEGIC IMPLICATIONS
lons. The participants responded to questions
developed through the previous research stages, The study found that corporate risks considered
ultimately responding to two questions: What by and under the influence of executives with
is the perceived corporate influence exerted by broader influence than security have a higher
2
� THE INFLUENCE OF SECURITY RISK MANAGEMENT | KEY FINDINGS | OVERVIEW AND RECOMMENDATIONS
potential impact at the strategic levels of the to identify, engage, and communicate directly
organization, as do risks with a higher dread with key decision makers. Instead, focusing on
factor. Executives often see security as focused broad process as opposed to recognizing the
on the operational levels of risk impact. This significance of the decision maker in the orga-
means security professionals have less influence nizational structure and management strata.
across broader corporate decision making, and
places security lower in the organizational and The study found that security risk models and
risk hierarchy than other areas of risk concern. their usage require adjustments to meet the
For security to have stronger weighting in their structural and stratum of corporate organiza-
risk message they must communicate how se- tional risk. Focus group participants saw current
curity events impact the strategic objectives of security risk models as insufficient, incorrectly
the organization. assuming that the process decision maker is the
security manager. In general, higher level execu-
FINDING THREE: ENTERPRISE SECURITY tives act as risk treatment decision makers while
RISK MANAGEMENT IS NOT YET ACHIEVED security managers act at the point of treatment
implementation. Due to its hierarchical stand-
Security professionals expressed the view that ing, the security function often lacks awareness
the operational nature of security risk resulted of broader organizational activities and context
in lower feelings of dread about security risks that affect the organization’s risk appetite.
when compared to some other business
risks. As a result, organizations reject security Security can achieve better influence through
risks as enterprise-level risks. The exception is more explicit engagement with general man-
cybersecurity threats, which had a high dread ager level decision makers at key touch points
factor among corporate executives, who in during their assessments.
turn considered cyber threats as strategic-level
risk. To overcome this, security professionals FINDING FIVE: SECURITY RISK DIAGNOSIS
need to have clear understanding of the AND SECURITY RISK TREATMENT
broader categories of organizational risk (risk ARE NOT A SINGULAR ACTIVITY AND
taxonomy), including third-party risks, capital SHOULD BE PERFORMED AS SEPARATE
management, and government oversight DECISION PROCESSES
concerns, and how security impacts and
integrates with such risk concerns. Most published risk standards steer assessors
from assessment (diagnosis) to treatment iden-
FINDING FOUR: SECURITY tification and implementation. However, due to
PROFESSIONALS NEED TO organizational structure and management level
ENGAGE BETTER WITH CORPORATE positioning, security is often not the corporate
DECISION MAKERS decision maker. Security often does not hold the
authority required to effectively move into the
Security, along with other risk disciplines includ- treatment stage without prior approval from
ing safety, business continuity management, higher level managers who allocate financial
and crisis management, have drawn on similar resources. This often means that recommenda-
thematically structured models, captured as tions provided to the decision makers are based
standards to guide and document their specific on assumptions of risk appetite, capability and
diagnosis risk tasks. However, such models in resource availability—economic decisions out-
their current structures lack explicit directions side of the security department’s remit.
3
� THE INFLUENCE OF SECURITY RISK MANAGEMENT | KEY FINDINGS | OVERVIEW AND RECOMMENDATIONS
FINDING SIX: ORGANIZATIONAL FINDING EIGHT: LANGUAGE IS
CONTEXT HAS A SIGNIFICANT IMPACT A SIGNIFICANT ISSUE WHEN
ON SECURITY’S RISK INFLUENCE COMMUNICATING MESSAGES OF
SECURITY RISK
Influence is impacted by organizational context,
notably when security resourcing and imple- The plethora of general and security-specific
mentation is mandated within a compliance-di- risk management models has resulted in a lack
rected, regulatory environment. For instance, of clarity around risk terminology and language
personnel security vetting is accepted and both across the industry but also at an organiza-
standard practice because it is legislated and au- tional level, further impacting security’s sphere
dited—there is a mandated and collective agree- of influence. Consequently, communication of
ment on the importance, and therefore security the security risk message is a key factor in orga-
influence. Focus group participants acknowl- nizational influence, especially the ability to fore-
edged that often security risk management does see, but more importantly understand (through
not form part of a regulatory framework, there- such theories as psychometric dread) and ef-
fore the implementation of security programs fectively articulate (through such methods as
within a self-directed environment result in secu- business impact analysis) the risk impact to the
rity risks being prioritized behind compliance organization. Focus groups showed the ability to
driven concerns, resulting in reduced influence. communicate the link between the operational
nature of security risk to comparable strategic
FINDING SEVEN: SECURITY AS business impacts were the most effective means
A BRAND LACKS PROFESSIONAL of gaining influence. Security professionals can
RESPECT, COMPARED TO achieve better influence by translating securi-
TRADITIONAL PROFESSIONS ty risks into business language, using business
metrics for senior decision makers and boards.
The study uncovered a perceived degree of It was noted that it is not the role of boards to
professional disrespect for corporate security. understand security, but security’s role to com-
Many participants acknowledged that security municate to the board.
professionals often learn their business through
policing or military careers, as opposed to for- FINDING NINE: INFLUENCE IS IMPACTED
mal university education. Participants noted BY CHARACTERISTICS OF THE INDIVIDUAL
that professional certification on its own does
not engender, at senior levels, the same respect Security, as an area of technical specialized
as formal university education. It was therefore activity, does not exert the degree of corporate
expressed that fostering the security “pracadem- influence experienced by other business areas of
ic” is a key to developing appropriate business technical specialization such as law or account-
skills and respect, coupled with security industry ing. However, individuals themselves can achieve
certification, practical experience, and individual very high levels of influence through personal
expertise. While the research indicated this is leadership, where influence is best considered
changing, such change was seen at the individ- on a continuum and is a convergence of an in-
ual level rather than culturally at the industry dividual’s education and experience, personality
or sector levels, resulting in a perception of an facets including communication skills, and the
educationally inferior profession. organizational risk context in which they operate.
4
� THE INFLUENCE OF SECURITY RISK MANAGEMENT | KEY FINDINGS | OVERVIEW AND RECOMMENDATIONS
RECOMMENDATIONS impact analysis for the risk identification,
assessment, and evaluation stages, a cost
The findings led researchers to make four prac- benefit analysis and decision comparison rec-
tical recommendations, designed to be action- ommendation for the risk treatment identi-
able steps for security professionals to improve fication process. This approach would mean
their organizational and risk comprehension models explicitly incorporate or acknowl-
and identify their limitations and barriers, then edge the need for higher level management
work within those constraints to change working decision making and direction to take place
practices to maximize organizational influence. as part of the formal security risk manage-
ment activity rather than missing key deci-
To achieve better corporate influence, security sion-making criteria and stages, delivering
professionals should consider: just the treatment suggestion message.
• A
� ligning their risk management work directly • E
� ngaging with renowned business schools
to the broader organizational risk hierarchi- and associations through membership and
cal framework. For security professionals to educational opportunities, to learn business
clearly, concisely, and accurately inform de- metrics and language, while also commu-
cision makers about their risk message they nicating and embedding understandings
need to ensure this message is aligned to the of how security contributes to corporate
precise business risk context and communi- success across all levels of business. It is only
cate their findings in exacting and compa- through such engagement that the benefits
rable business terms using business metrics. of enterprise security risk management can
Security professionals should seek to under- be communicated to and valued by general
stand the organizational risk taxonomy, for- managers and boards.
mally published or otherwise. This approach
will enable business leaders to fully compre- • E
� mbracing formal registries for members
hend and align all business unit assessments who hold recognised tertiary degree qual-
for comparable decision making. ifications as a mandatory requisite. This
approach would enhance and reinforce the
• U
� sing risk models that use distinct and sep- status of registered security professional,
arate messaging tools for the different stag- overcoming disrespectful negative percep-
es of the process. For example, a business tions of educational inequality.
This is part of a series of nine short synopses, this paper explores the findings of an ASIS Founda-
tion study conducted by Dr. Michael Coole, Nicola Lockhart and Jennifer Medbury of Edith Cowan
University in Australia in 2022.
The ASIS Foundation, an affiliate of ASIS International, helps security professionals achiever their
career goals with certification scholarships, practical research, member hardship grants, and
more. The Foundation is supported by generous donations from ASIS members, chapters and
organizations. Online at www.asisfoundation.org.
