ERM: Old concept, new ideas
Enterprise risk management may be old hat, but some CSOs are using it in innovative ways. Here's how it can bring your security program into the future
July 29, 2013 — CSO —
Enterprise risk management (ERM) is hardly new. Eric Cowperthwaite, CISO at the nonprofit healthcare organization Providence Health and Services, recalls hearing the term for the first time in the late 1990s, "and it existed before then, even if we didn't call it that," he said.
Indeed, the term goes back several decades, according to Jeff Spivey, who is vice president at RiskIQ, president at Security Risk Management, and international vice president of ISACA.
"My father was involved in risk management beginning in 1968," he said. "What was then called 'risk management' is now called 'enterprise risk management.'"
John Shortreed, a member of the International Organization for Standards, which developed ISO 31000, one of the most prominent frameworks for ERM, says the framework has been "evolving and maturing over the last decade, in response to the increasing risks [in] our world" brought on by such varied factors as interconnectivity, climate change and economic upheaval.
But after all that evolution, it is still not close to being standard operating procedure in most enterprises. According to a 2012 customer survey by the Corporate Executive Board, 70 percent of respondents did not have a formal risk-appetite approach in place. Risk appetite is one of the fundamentals of ERM. Cowperthwaite is not surprised at those results.
"My perspective is that most security practices are foundationally compliance driven, even if they have a risk component," he said.
"The thinking of most CSOs is, 'There is some number of things I'm required to do. When I do them, I have a security program.'"
That doesn't mean nobody is doing ERM, he added.
"I could name a dozen CSOs who are really involved in their businesses and doing great ERM,"he said. "But I could also name more than a dozen who are basically just keeping in compliance &mdas;keeping the firewalls in place. I think if we were to survey the industry as a whole, we'd find the 20-80 paradigm, where only about 20 percent really understand what their business is about so they can make the case for managing risk."
Not everybody thinks the divide is that great between those practicing ERM and those focused on compliance —often derisively called "checking-the-box security." Chris Wysopal, co-founder, CTO and CISO of Veracode, says he is seeing more of his security peers "performing threat modeling based on the way their business works and what is going on in the threat space."
In at least one sector of the economy — finance —there is strong evidence of risk management taking hold. The Wall Street Journal reported in October 2010 on a Deloitte survey of 111 financial institutions that found 75 percent of them had a chief risk officer or an equivalent position, which is one of the core components of most ERM frameworks.