Enterprise Security Risk Management (ESRM): The 'Tower Of Babel' along with Competency, Experience & Knowledge

Enterprise Security Risk Management (ESRM) is more akin to a multi-story, multi-tenanted, high-rise apartment block than a single, 'neat' vocation.

Moreover, ascension and traversing of the skills complex requires many differing keys, qualifications and experiences.

In other words, in much the same way as medicine, accounting, engineering and other specific disciplines, there are many doors, specialisations but enterprise security risk management perhaps has far more subsets, knowledge pockets and requirements that someone, close to the top, needs to know about, coordinate and harmonise within any one organisation.

There lay the most significant challenge and undertaking of contemporary security risk management within any enterprise or business undertaking.

Most conspicuously, it is not something achieved with a 3-5 day course, certificate or even a diploma, specific to either security or risk management.

Figure 1: United States Department of Labour: Employment and Training Administration (2020) Enterprise Security Competency Model.

This "Tower of Babel" has been growing in complexity and diversity for decades, with much more complexity required over time, distance, business practices/operations, industries and cultures"

From an objective, standards and qualifications perspective, Tiers 2, 4 & 5 represent the required units of comparison and academic qualifications from one individual and department to another.

That is, specific, detailed, objective and verifiable education and qualifications is required for these tiers and evidence of learning.

It is simply not sufficient nor a proxy to claim experience or competency due to role or job title 'exposure'. They remain vastly different standards of comparison.

For example, you don't find doctors, nurses, engineers or lawyers asserting qualifications and verifiable competencies base purely on job titles, experiences or sub-bachelor's degree courses.

Paradoxically, you come across it all the time in both security and risk management.

As much as it pains individuals and organisations the hear (or accept), ascension from Tiers 1-3 should not reasonably occur without objective and specific security/risk management qualifications and education.

Ironically, the military, police nor government would permit ascension without educational evidence, which is precisely where many security specialists, practitioners and professionals originate from.

And no, these government and public roles are not proxies for qualifications, education nor are they universally transferable from public to private sector roles.

In sum, enterprise security risk management (ESRM) remains a multi-faceted, diverse and complex suite of competencies, qualifications and experience.

Moreover, it requires specific education, qualifications and verifiable knowledge practices in accordance to contemporary professional and technical practices.

It can not be supplanted by experiential phenomena, roles, job titles nor past public service pedigree/s.

Conversely, education and qualifications alone are not the panacea for real-world, complex, fast moving and evolving business experience either.

Hence, the role, fulfilment and delivery of enterprise security risk management remains very demanding, dynamic and requires life-long learning....not to mention personal and organisational resilience.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk, Resilience & Management Sciences