How often in our industry do we not capitalize on examining our enterprise and delivering the full measure of our findings? How often do we as practitioners neglect the value that we can actually present due to political expediency? For security leaders as well as practitioners dealing and identifying the “risk” problem for respective clients and organizations can be a complicated and complex request. However, in today’s economy it is essential that security leaders know and understand what can compromise the success of their organization in order to formulate a concise and comprehensive security strategy. Necessity dictates that direction be given to analyzing a situation then having the fortitude to assist leadership in making a determination as to whether or not any potentially associated risk is acceptable to the organization.
If the past fifteen years has taught us anything, it is that any type of risk is possible from current political polarization; attacks on law enforcement; the incidents in Paris and Brussels; Hurricane Sandy; the earthquake and tsunami in Indonesia and Japan; the financial meltdown; and, ultimately, starting off the 21st century, 9-11. These events have been lessons in expecting the unexpected. It is; therefore, necessary that we embrace an Enterprise Risk Management (ERM) approach whereby the risk and security department is the champion of communication, collaboration, leadership and teamwork. Understandably, no risk management system can detect or predict everything.
However, we are at crossroads in the overall process of comprehensive risk, threat, and vulnerability assessment. Understanding that this is an essential aspect of Enterprise Risk Management is crucial. The confluence of operational security, information security (cyber, digital, & information security risk), and physical security compel organizations and their respective security departments to take a more holistic approach to ensuring that all hazards, threats, and risks are identified, evaluated and addressed. Organizations must change their mindset. Security Risk Management still holds a predominantly “physical” tone in most organizations. IT security risk management has received considerable attention over the past decade. Operational Technology security risk management is almost non-existent. There is no integrated approach to managing critical risk infrastructure.
Organizations have been steadily consolidating all risk management functions – data collection, analysis, and prevention. Doing this allows for clarity in determining all possible ramifications of threats and risks posed (clip from The Global Risks Report 2016). Having the ability to assess a company's complete risk position is more imperative today due to the extent of data required by more stakeholders. The Board of Directors, the C-suite, controllers and examiners demand access to consistent, reliable, and real-time information on emerging risks and trends. This information allows for a better roadmap for organizational obligations being fulfilled, determining risk acceptance, and setting the appropriate policy.
The pursuit is to advise and assist organizations in removing inefficiencies and informing them on whether or not to accept risk based on cultivating a unified security strategy and master plan that is endorsed through a comprehensive risk, threat, and vulnerability assessment program that is flexible, scalable, and innovative.
Esta noticia ha sido vista por