Security Risk Management: What percentage is management, security or risk?

From the point of need, inception or design, all the way through to implementation to delivery of security as a service or outcome, just how much is made up of security, risk or management?

That is, if what is being done or claimed is security risk management, precisely what percentage is security, risk or management?

Critical reflections and critiques of security as an industry, profession and practice lament that more management and management activity infuse routine business activity than either risk or security.

In other words, things, widgets, services and technology are made with little bonafide security or risk inputs (including trade-offs and decisions), then managed.

Firstly, security lacks a single, universal definition or accepted level of quality, let alone competence.

Public security is not private security, which is different again to commercial or corporate security.

In short, which 'security' do you have, pursue, manage or apply?

Answers to these questions are often not considered or analysed with any degree of rigour until there is a failure, incident, public outrage or catastrophic failure of either risk or security.

Notwithstanding, security may be a transient concept, application or represented differently each hour, day, week or month.

Ironically, more analysis, time and resources are likely assigned to understanding and improve operational activity, marketing expenditure or other financial verticals.

Focus on security is routinely constrained to cost reduction, economic restriction or investment rationalisation.... without ever understanding or evaluating security or risk as an output or product of efforts.

In other words, if you don't know what security is... it is easy to cut costs associated with security as the outcome and impact is never seen, especially under conventional accounting or P&L approaches.

Self insurance, insurance and panic purchasing (ask they cyber security professionals about this in recent months) AFTER the fact, event or breach, still dominate the appearance and support of security and risk management initiatives.

In sum, enterprise security risk management remains a compound expression of disparate terms, comprehension and application in just about any organisation.

Each word, vocation and activity is typically not equally represented and routinely not analysed as to what percentage each term (security, risk or management) represents within the organisation, business unit or enterprise.

Money, spending, people, toys and widgets are not representative of security but remain coarse units of measure for security in most organisations and business practices.

In short, security risk management is much easier to write or assert than it is to measure.

As a result, few do adequately, but trade on the assurance and safety of declaring to shareholders, managers and those affected 'all is secure', when in fact, it remains unmeasured or analysed with any degree of granularity.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences