ASIS International is leading global change in terms of how Security Departments can better partner with other departments inside host organisations to drive value and make that value be more clearly quantified and understood by the owners of business units, assets and processes. The ASIS Board of Directors has determined that Enterprise Security Risk Management is a priority initiative in the Society’s global Strategic Plan. Here, Jeff Slotnick explains precisely why.
The stated goal of the Board is “to make ASIS members more effective security professionals and more valuable members of their organisations by enabling them to better identify and manage the various aspects of security risks they face… leading to an empowered membership, safer enterprises, a more strategic approach to risk and a more cost-effective security function.”
Last year, a Board-led Commission inventoried all of the Society’s Enterprise Security Risk Management (ESRM) content, identified several dozen subject matter experts from around the world and developed a framework to integrate ESRM into all ASIS products and services. In short, the goal was “to embed ESRM into the DNA of ASIS”.
Earlier this year, four Working Groups were established to begin implementing that vision. Those Working Groups cover the maturity model, standards and guidelines, education and certification and marketing band branding.
Already this year, an explanatory overview of ESRM has been drafted and a glossary developed. Draft ESRM guidelines will soon be in the offing. A special track of education sessions at the Global Security Exchange (or GSX, formerly the ASIS Annual Seminar and Exhibits) will address various aspects of ESRM. As attendees will learn, more and more practitioners are stepping up and sharing their stories about how, by using this approach, they’ve been able to reshape their Security Departments. One such story at UT Aerospace was the basis for a breakout session at the recent CSO Summit in Minneapolis.
The focus on ESRM is a global, volunteer-led project championed by ASIS International’s secretary John Petruzzi CPP and main Board director Tim McCreight CPP CISSP. It includes members from across the world, with input from James Willison, Stuart Hughes CPP and Mike Hurst CPP in the UK.
Ricky Davis, CEO of RICE Security and Consulting, said: “I’ve introduced and now use ESRM as part of my firm’s strategy when discussing Best Practice with prospective clients. In my view, ESRM is a great opportunity to apply realistic processes that have produced success. It’s important that we all continue to educate on the value of ESRM in order to ‘re-shape’ the learning.”
For those new to the concept, ESRM is a strategic security programme management approach that ties an organisation’s security practices to its mission and goals by dint of using globally established and accepted risk management principles.
Create an iterative process
In essence, the goal of an ESRM programme is to create an iterative process designed to manage security risks across all aspects of the enterprise. A fully-integrated ESRM programme will continuously assess all security risks facing the organisation, quantify and qualify threats to the business regardless of the vector, document and establish mitigation plans, identify and document risk acceptance procedures, document the ‘risk appetite’ of the organisation, manage incidents when they occur and provide root cause analysis procedures and reporting.
ESRM recognises that security responsibilities are shared by both security and business leadership, but that all final security-centric decision-making is the responsibility of business leaders. In today’s world, security practitioners often make these decisions without involvement by the owner, who might be the head of supply chain operations. The key role of the security leader in ESRM is to manage security vulnerabilities to enterprise assets as part of a risk decision-making partnership forged with the host organisation’s leaders in charge of those assets.
Managing the security decision-making process requires educating internal business partners on the realistic impacts of security risks to assets under their control, presenting potential security strategies to decision-making business leaders to mitigate those impacts and enacting business leaders’ security risk mitigation choices. This entire process is driven by business risk tolerance.
ESRM and security
A mature ESRM programme encompasses all aspects of security risk mitigation practices, including physical security, cyber security, information security, loss prevention, organisational resilience, workplace violence, fraud, threat management, brand protection, travel safety, business continuity and all other practices undertaken to prevent security risk impacts to the enterprise.
ESRM is not ‘convergence’. Convergence integrates IT and physical security under one team. Convergence may be an outcome of ESRM, but it’s not the same thing. Additionally, it’s not Enterprise Risk Management (ERM) as ERM manages all company risk that includes financial risk, process risk, legal risk and other risks beyond the scope of security expertise. ESRM is a component of ERM and uses a similar philosophy to manage security risks.
Identifying the business risks
Those invested in ESRM gain intimate knowledge of their organisation. This is accomplished by speaking with diverse stakeholders and learning what they consider to be important to them and the company. Additionally, professionals learn about their organisations’ business objectives. Through this process, they will identify the various risks which have a potential impact on the enterprise. Security then becomes a business enabler, helping the firm to achieve objectives and support its own legal responsibilities.
Security professionals become ‘aware’ of their own role in the organisation by identifying risks to the right executive and providing objective perspectives on the risk(s) involved. Ultimately, it’s up to the executive to decide what to do with risk. As security managers and ESRM practitioners we don’t decide to accept or address risks. We identify risks, advise the owners on risk and provide subject matter expertise during the risk management process.
With ESRM, organisations gain a risk-based view of the protection of the business across all relevant fields including business continuity, cyber risk and personnel vetting. This enables the creation of underpinning security structures which are both Best Practice in nature and defensible in the real world.
Global Security Exchange
If all of the above has stirred your appetite to learn more, you may want to give serious consideration to attending the 2018 GSX which takes place from 23-27 September at the Las Vegas Convention Centre. The GSX is the world-class education, networking and solutions marketplace the industry has come to know and value multiplied by a factor of X.
The GSX will be offering plenty of opportunities for education in ESRM. 12 of them, to be exact. There will be Case Studies, lectures and panel discussions focused on bringing better data to top management, hedging cyber risk through insurance, security risk versus compliance: a cultural, technical and budgetary shift and building the brand for the Security Department.
Additionally, on the Sunday at GSX there will be a pre-seminar practical exercise to provide hands-on experience and education in ESRM. At ASIS 2017, I hosted an ESRM-based table top exercise and learning session for over 200 individuals. The reviews we received were exceptional, and many professionals personally told me that it was an amazing event and learning experience.
One attendee noted that, after the session, both he and his colleague realised they were missing critical components from their risk evaluation process and were thereby missing an opportunity to provide greater value to their company. In his feedback he noted: “By taking a step back and re-framing our entire programme within the structure of ESRM, we were able to focus our efforts towards the areas of greatest operational risk, using the existing programmes we had in place and providing valuable intelligence to the business. Additionally, we broadened the purview of our assessment to the entire organisation, from the supply chain to operating facilities and on again through our service organisations.”
That is a powerful testament in terms of what the proper application of ESRM can mean to us all as individual security practitioners and the profession as a whole.
2018 is a year of dynamic change at ASIS International and ESRM is at the forefront of the organisation’s global strategy. For more information on this work, send an e-mail to firstname.lastname@example.org or make plans to attend this year’s GSX.
Jeff Slotnick CPP PSP is President of Setracon Enterprise Security Risk Management Services