Is risk part of security? Is security part of risk? Those two terms are often confused one for another, used together and interchangeably in the same context. And yet, they are not the same. Not at all.

Definitions

A good starting point in our discussion is defining the terms.

• Security is a concept that aims to protect against actions/situations that will cause failure or deviation from the intended functioning.
• Risk is a concept that aims to avoid exposure to harm.

For example, to be secure at a personal level, you should learn self-defense techniques and wear body armor. To be risk-conscious at a personal level, you should avoid walking in the dangerous areas of the city. To be secure at an enterprise level you should learn application security testing techniques and install firewalls. To be risk conscious at an enterprise level, you should follow regulations to avoid paying penalties for compliance-violation.

Those differences in definitions between risk and security have practical consequences. One of them is:

Risk and Security Organizational Structures

Who handles risk and Security in the enterprises? Well – two different organizations, different reporting structures. At an enterprise, security issues are managed by the Chief Information Security Officer (CISO). Typically, CISO reports to a Chief Information Officer (CIO).

Risk issues are managed by Chief Risk Officer (CRO) and Chief Compliance Officer (CCO), which might be a combined position or two separate ones. Typically, CRO/CCO report to the Chief Operating Officer. This is not a bureaucratic whim, but a reflection of differences. And that list of differences continues.

Variety of the Markets

There is a stunning difference between the number of markets in risk and security spaces.

The security space consists of several mega-markets, such as: Identity and Access Management, Network Security, Data Security, End-Point Security, Application Security, Cloud security.

Each mega-market consists of numerous technology markets, e.g.:

Application Security includes markets such as: SAST, DAST, SCA, WAF, ASPM, ASRTM, Application Shielding, etc.

Data Security includes markets such as: CASB, Cloud Data Protection Gateways, TLS Decryption Platform, FP-Encryption, DLP, Data Discovery and Management., etc.

Network Security includes markets such as: Network Firewalls, Secure Web Gateways, Network Access Control, SASE, NSPM, ZTNA, NDR, etc.

Cloud Security includes markets such as: CWPP, CSPM, Serverless Function Security, Container and Kubernetes Security, etc.

The total number of security markets is measured in dozens. It makes the number of participating vendors measured in many hundreds, if not in thousands.

The risk space is much less populous: few markets, fewer vendors. We can point to markets such as: Integrated Risk Management Solutions, Enterprise Environmental, Social and Governance Software, IT Vendor Risk Management Solutions, Regulatory Change Management Solutions, Third-Party Risk Management Solutions, Ethics and Compliance Management, Enterprise Legal Management, Contract LifeCycle Management. All together - they represent just a fraction of the variety of security markets.

Growth Rates

The security space enjoys higher growth rates than the risk space. Leading market-analyst firms estimated that Application Security and Cloud Security will grow at a rate between 22% and 25%, Data Security: 13% -18%, Identity and Access Management: at around 12%, while Integrated Risk Management – at a rate slightly above 8%. In absolute numbers, within the next several years, the Integrated Risk Management market will reach a size of around $9B, while security markets – above $160B. Such differences deserve special attention and a separate conversation.

Conclusion

It is evident that risk and security expose very different characteristics across many dimensions, which raises questions, such as:

• Why are they so different? Why is security so much more diverse and rapidly growing compared to risk?
• Is there a need to bring them (e.g., their diversity and growth indicators) closer? Is it possible? Does it make sense, and if so, by what means?