Enterprise Security Risk Management, or ESRM, seems to be the new buzzword across the corporate security ecosystem. Interestingly, any of us who have led its parent “enterprise risk management” (ERM) recognize “security” has been a component part of the enterprise risk management framework for well over a couple of decades, arguably more. Nevertheless, given the prudence of security leaders adopting an “enterprise-wide” perspective, there is renewed focus in this domain. Most security leaders are highly adept at the hard-skills aspects of administering a security program: policies, procedures, operational execution and technology among others. However, as you codify your enterprise security risk management strategy, are you giving the soft-skills elements their due attention?
Mention the name of the highly lauded management consultant Peter Drucker and many ears in the forest of leadership development immediately perk up. Drucker famously once said, “Culture eats strategy for breakfast.” This prescient warning was a signal to business leaders that corporate culture is far more determinative of success than the company’s strategic plan – and decades of abysmal mergers and acquisitions prove this. So what does this have to do with enterprise security risk management? Simply stated, because the same prescient warning also applies to the ESRM strategy in an organization!
I recently wrote an article for Security magazine entitled “Is Your Company’s Culture An Environment That Encourages Workplace Violence?” that explored the ostensible nexus between corporate culture, work environment and the increased potential for workplace violence risk. In it, I used the definition of culture offered by Harvard Business Review: “cultural norms define what is encouraged, discouraged, accepted, or rejected within a group”.
A more simple definition might be “the way we really get things done and do things in our organization”. Now apply this definition to your organization. What are the cultural norms in your organization? How do the realities of your cultural norms, not the ones espoused, define what is truly encouraged, discouraged, or acceptable, unacceptable?
Push beyond the hard skills stuff like execution of policies and procedures to realistically evaluate the norms of behaviors, people interactions, espoused corporate values: is there clarity on what is actually valued? Consistency? Accountability? Enforcement? Engagement? What about a commitment to improvement? The “softer” elements of cultural norms will be highly determinative of whether your strategy in enterprise security risk management has any hope of being viable.
While a CSO, I often said to my leadership team, “We can develop the best security strategy in the world, and if our culture isn’t going to let it happen, it will absolutely fail in its attempt at implementation”. I have personally experienced culture eating security strategy – and have the scars to prove it, despite prior success as a seasoned and diversely skilled leader.
If your company culture is one where non-compliance and non-enforcement of policies is the norm, do you really think your new access control or visitor management policy implementation is going to succeed? Probably not.
With the foregoing considerations in mind, an absolutely essential and preliminary element in developing your ESRM strategy framework is to begin with an audit of your company’s culture. At this point, you may be wondering how am I supposed to do that? On its face, such a task may seem daunting. However, in all probability, you are already in possession of all types of data and intelligence to quantify and qualify how cultural norms may eat your strategy!
Begin with developing an insiders approach within the security function by gathering data from your own sources: dashboards, operational metrics, incident and investigations data, technology issues and findings and beyond. Trend those out over a period; say a three-year historical lens. What trends emerge? What do all these data points tell you about the cultural norms? Are there hot spots – and if yes, where? Are people being held accountable for causing security issues, creating vulnerabilities? Does root cause analysis suggest that there is a lack of clarity in policy – or why a particular policy matters? All these data points serve to provide the leader with tangible insights on the cultural norms around security matters - which can serve to inform critical elements for developing out an ESRM strategy. From this, a leader can reasonably extrapolate likely areas of success and equally trip wires that will require greater attention to influence the shifting of cultural norms related to security.
As important is to conduct a broader scan of cultural norms. The former questions can be applied outside of the security lens. A great starting point can be obtaining all focus group or employee survey data from your HR business partners. Assessing the pulse of the organization from these data sets can be very helpful and serve as a reconciliation point for your own security culture data analysis. Do they align? Where are there disconnects? How might you solve for them and are those solutions even viable in the current environment? Which other leaders can help you influence a shift?
Taking the time to acquire and understand such cultural insights - and interpolating them with your security program planning – can be very helpful to the development of an ESRM strategy and making an early determination on whether your preliminary ESRM strategy may be eaten by your company’s culture. I look forward to hearing from our readers about your own successes, failures and insights.