Home » Security Leadership » Strategic Planning

Jeff Spivey on Enterprise Risk Management

The former ASIS president explains the accelerating move to more comprehensive risk management models. (Part of the What Happens Next security predictions series.)

In the coming years they'll move from that into a strategic type of risk management, involving gathering more data regarding risk, aggregating it, analyzing it, managing it. And there will be more silos in the company brought into that whole conversation.

You mention insurance policies. How is the communication between the insurance risk management people and the security risk management people?
There's some progress there. The Alliance for Enterprise Security Risk Management, AESRM, did a presentation to the board of RIMS, the Risk and Insurance Management Society. Number one, we were inviting them into the alliance, and that's under consideration. But after the discussion, there were a lot of people saying, this is exactly the type of thing that we need—we need more understanding of types of risk and the different ways they would handle risks. They applaud that effort.

So there's headway being made. What has been lacking is a structure for discussion—and we were hoping the alliance may be an avenue if not the avenue for these types of discussions. It's not that the people who understand ERM and security's role in ERM are smarter than anybody else; it's just that they've been talking with more silos about it and understand that [broad perspective] a little better.

You can imagine a critical role in ERM discussions for privacy people represented by IAPP, fraud people represented by ACFE...
I think they could and should be included. At the end of the day, two things will happen. There will be champions within organizations who champion that holistic point of view, but they're still going to need a structure with which to have that conversation. Fortunately we are entering the technological age with social media, wikis, and other technologies that will enable those discussions to start maturing the ideas, either within a particular company or across the entire industries that are involved.

Let's say I'm a CSO and my company isn't far down the ERM road. Is there an effective analogy, a statement, what's the elevator pitch to the CEO to get the support?
In the growing economic challenges we're going to have, that conversation is important. Companies right now, in my opinion, are overspending for the risks they are managing. The reason is they are approaching it in the organizational silos that they have. So they're not only overspending for the risks that they are addressing, they're also overexposed to the potential losses that could occur because of the gaps [between silos]. They're inefficient.