Brown's Sherry says sometimes the challenge is making headway in a culture that doesn't always understand the issues around risk. Sherry, who has been in IT management for 20 years, first became interested in security during the Y2K scare over a decade ago. In his four years with Brown, he has seen his role become much broader and more focused on risk management and compliance, and it now includes areas such as "records management, copyright law, all kinds of things they throw at me," he says. But while the university increasingly puts value on security and risk management, Sherry still finds it tough at times to make the case for investment.
"The challenge in higher ed is creating relevance for the security mission and the privacy and compliance mission," says Sherry. "It's making sure the university understands the implications of not following best practices and regulatory mandates."
As Sherry's experience shows, selling security has always been difficult. So one of the goals of ERM programs is to give security managers a quantifiable set of metrics that help clarify the case for investing.
"As I have defined it and as I implement it here, I have a risk chart that lists our top 20 risk cases in order of significance to the organization," says Treece. "I use this to then determine what gaps we have between this list and efforts to address those risk cases. Where we need to do more, I use [the chart] to influence the budget process, to reduce or transfer the risks we find to be unacceptable."
In order to succeed in ERM-driven environments, CSOs and CISOs agree that security managers need to bone up on business skills--nothing surprising there. Communicating with the executive management team (which is engaged in 86 percent of respondents' ERM programs) takes a new level of business understanding among security pros.
"In the last decade, it's been helpful to have a business discussion using risk terms. And business leaders have gravitated toward it," says Agcaoili. "In security, there is always a new problem, and risk management has allowed me to identify risk based on issues or findings, develop what the risks are, and then prioritize and work with the business to actually invest in that."
"I work with a lot of other CSOs from banks, from universities, from all over," says Treece. "We are all different; we have different cultures and budgets. But we all have the same basic requirements to secure the business defensively in an affordable way. In order for that to happen, security people today need to learn to speak business."
Sign up for CIO Asia eNewsletters.