The concept of enterprise security risk management is the process of managing security with a focus on using risk principles and coordinating the process with business leaders. ESRM is a strategic approach to security management that ties an organization’s security practices to its overall strategy using globally accepted risk management principles.
In the traditional security management process, the security professional does what is requested or directed and implements a security program. In the enterprise security risk management process asset owners’ own decisions for the security risk to the asset they manage. Decisions are made with the involvement and guidance of security professionals as partners; together they identify risks, prioritize those risks, and establish mitigation steps and methods.
In ESRM approach security professionals can better allocate resources, the budget becomes more manageable, communications with stakeholders become easier, increase trust among security and asset owners, security gets better aligned with organizational strategy, and it helps in early identification and proactive monitoring of a broad range of risk, improves understanding by the better engagement with stakeholders who have a vested interest in the security risk and security function.
Security professionals should proactively define and socialize their role to top management and asset owners or otherwise risk having it defined for them. They may have a different understanding and consideration of security risks.
Security professionals who shoulder this role should find stakeholder relationships to be more positive, more valuable, and more based on partnership and trust.