John McClurg, vice president and CSO of Dell, says in recent years he has seen a lot of evidence of ERM in Fortune 100-level companies, "but not so much in smaller companies, and that is the majority of businesses in the country."
William Mabon, director of the cybersecurity product portfolio for BAE Systems, is among those who are not involved in ERM. He says that while he and his firm's clients, which are mostly in government, are very focused on protecting data, "as opposed to going through exercises that are designed to pass through audits," he does not hear much talk about ERM with those clients.
"It is not a buzzword that we're living and breathing every day," he said.
Cowperthwaite believes the stumbling block is not a lack of understanding, but rather an all-too-clear understanding of how hard ERM is to do.
"If you do qualitative risk management, it leaves an amazing amount of room for people to argue," he said "When I say something is a high-risk, the CEO might look at me and say, "[An impending merger] is high risk -what you're talking about is moderate.'"
But then, some experts say ERM is not the way to go anyway. Douglas Hubbard, CEO of Hubbard Decision Research, even wrote a book about it -The Failure of Risk Management -in which he poses three questions: Do these risk-management methods work? Would any organization that uses these techniques know if they didn't work? What would happen if they didn't work?
Hubbard argues that the answer to the first two questions is "no," and that the answer to the third is that there could be catastrophic consequences for a company or its customers.
Richard Stiennon, chief research analyst at IT-Harvest, contends that ERM simply doesn't work. In a recent Facebook post, he proposed the following title for a course on ERM that he was about to teach at the National Defense University: "No one ever got fired for implementing a risk-management program - but they should be."
Stiennon says that "as an industry analyst and adviser to some of the largest organizations in the world, I have seen them start to move away from risk management to threat management."
Francis Cianfrocca, CEO of Bayshore Networks, agrees.
"With risk-management best practices, you're not really protecting yourself. Enterprises need protection rather than risk management."
Of course, advocates of ERM contend that it is all about protection - evaluating what kind of protection is needed based on the kind of risk and the amount of damage it could do to an organization.
So maybe before we can discuss the progress and even worthiness of ERM, we need to refresh everyone on what the definition of ERM is and what some of its core goals are. Most CSOs would agree with Spivey that it starts with a holistic view of all risk that an organization may be exposed to, including operational, brand, financial, physical and, of course, information security.
Sign up for Computerworld eNewsletters.