Q&A
Jeff Spivey on Enterprise Risk Management
The former ASIS president explains the accelerating move to more comprehensive risk management models. (Part of the What Happens Next security predictions series.)
By Derek Slater
The inefficiency can be changed, but it takes a sea change in culture and understanding within a company, within a government, within entire industries, to make that happen.
You could argue that the creation of the Department of Homeland Security (DHS) was an attempt to do this, to break down silos and get the discussion going. Of course there are critics of everything, but DHS seems widely regarded to be not accomplishing that aim, at least not yet.
I'm also a proponent of the idea that the ERM is less about hierarchy and more about process integration. So the command-and-control structure and the possible silos that may exist in a DHS, or any other government entity or even big business, is a lot of times what restricts that process integration.
Back to the elevator pitch. So the pitch is: 'Boss, we're going to lower and risks and spend our money better, and the first thing I need from you is the commission to gather a group to start capturing a list of all our risks'.
The CEO and CFO will innately understand the idea; they just might not yet know what the answer could be. So step one is, identify and then collectively prioritize the risks.
Then you can manage those risks in a number of different ways. There are five ways to treat risk: I remember it with REITA. You can reduce a risk, Ignore it, Eliminate it, Transfer it, or Accept it. Every risk can be treated in one or more of those ways.
The other thing that's happening is, ERM is getting a lot more attention at the Board level. When Sarbanes-Oxley happened here, the Board members started understanding they could be liable for not understanding risk. There is now an impetus from the Board to understand the risks and how the risks are being managed.
And then in Europe, I've heard some of the boards they control the risk at that level. Not even at the C-Suite. I don't know if that would really work here [in the US].
Other stories by Derek Slater
jeff spivey
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- FISMA Prescriptive Guide
- The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
- Beyond PCI Checklists: Securing Cardholder Data with Tripwire's Enhanced File Integrity Monitoring
- IDC White Paper: CCM for IT Compliance and Risk Management
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
