No one knows what to make of ESRM. The Enterprise Security Risk Management philosophy had been lurking on the periphery of mainstream security practice since the early 2000s, when ASIS International, ISACA and ISSA created the Alliance for Enterprise Risk Management. That group generated a few reports then fizzled out.

ASIS picked up the mantle again several years later, when the CSO Roundtable (now CSO Center) published a white paper and survey results on the topic. Some thought leaders published articles on ESRM and a book even emerged. Still, it didn’t stick.

In the summer of 2016, ASIS took its boldest step yet, forming a Presidential Commission that created the apparatus for embedding ESRM into ASIS’s standards and guidelines, programming, content and, eventually, certification. (Full disclosure: I was the ASIS staff officer responsible for ESRM.)

Among ASIS’s accomplishments since that time was the creation of an ESRM guideline. Outside the walls of ASIS, Brian Allen and Rachelle Loyear addressed the dearth of ESRM literature by publishing an extensive overview of the topic as well as a hands-on practitioners guide. And a group of ESRM pioneers and stalwarts stood up a small association called the Global Security Risk Management Alliance.

To continue reading,