From convergence to ERM

I’m big on cooperation. I’ve been part of organizations large and small, from companies to churches to chess clubs, and have observed lots of different leadership styles. The style that resonates with me, and the one that seems to get the most out of the most people, is one that fosters collaboration and mutual support. People pitching in across multiple disciplines can help each other solve problems faster and more creatively. Crush your competition, but collaborate with your co-workers. One plus one equals three.

So there’s my bias, right up front.

With that noted, here’s the view from my chair:

Convergence was a step on the road to enterprise risk management (ERM). ERM is a step on the road to true business enablement.

There was a period around 2004-2005 when I firmly held the belief that the information security and corporate and physical security departments should report to one CSO, categorically and without exception. The idea of cooperation made too much sense for this to be a fad.

Well, cooperation yes; cohabitation, not necessarily. I’ve long since dropped the dogmatic, org-chart-based view; if you look at our Basics of Physical and IT Convergence article, you’ll see that by 2006 we had already shifted our use of “convergence” to explicitly mean “formal cooperation between previously disjointed security functions.”

More on Enterprise Risk Management and security convergence

• ERM: Get started in 6 steps
• Turning ERM strategy into specific systems projects
• The CISO’s new focus: IT risk
• To security convergence (and back): Dismantling a department

No dictates about how that’s accomplished, just the insistence that bridges must be built to serve the business. One plus one equals three.

Over the next several years, ERM gained more currency in security discussions, or perhaps vice versa. ERM demands even broader communication and connection across functions, including HR, finance, continuity, and marketing.

It’s not fundamentally different from convergence. It’s convergence-plus. The trajectory that led from convergence to ERM is crystal clear.

And ERM has the huge advantage of being a term accepted by mahogany row. (Whereas “security convergence” means absolutely nothing to anyone outside of security.) The economy’s meta-infrastructure—Boards of Directors, the Securities and Exchange Commission, things like that—may define risk management differently, but they increasingly accept its necessity.

Security has to seize on this opportunity. Squabbling about who reports to whom or who makes more or who’s a geek or who’s an ex-cop (this argument is old and tired) is pure drag on the momentum within your own organization and across the entire profession.

It’s wonderful and productive to see the Information Systems Security Association and (ISC)2 collaborating with ASIS. It’s most excellent to see security professionals expanding their knowledge and their LinkedIn connections totals. Great to see service providers on both sides of the coin taking a more complete view of their customers’ challenges.

Let’s engage with our colleagues in ERM and see how it ultimately connects us to business enablement, the mature phase of security leadership’s evolution.