Enterprise Security Risk Management
Highlights from presentation by Brian J. Allen, ESQ., CPP, CFE, CISSP, CISM to ASIS Rochester.
In the current 4th Industrial Revolution, with digital transformation taking place across nearly all businesses and institutions at an increasing pace, Enterprise Security Risk Management (ESRM) provides an approach for the security industry to advance and transform to meet current and future challenges in a more strategic and effective way.
Every business or institution takes risks and faces a wide range of threats (and not just from a traditional security perspective) – it is fundamental to the progress (or lack of) for any organization. Examples of these risks are the development of new products, the approach to new markets, geopolitical conflicts, supply chains, disruptive technologies, new competitors, “mother nature”, social reputations, new regulations, new competitors, cyber breaches, and so on.
Disruptive industries through digitalization create enormous organization risks i.e. having other companies who better address risks move past your company. Mr. Allen showed well founded projections that 2B existing jobs will be displaced by 2030 and that 75% of the companies in the S&P 500 will be new by 2027. The impact of new disrupters such as Chat GPT need to be carefully considered.
Given the plethora of risks faced, the biggest question on the minds of top executives these days – Is our company resilient?
In this fast changing era, the role of Security needs to become more strategic in working with executives and regulators to guide businesses and institutions through a continuous risk process. The chief output of the security function transforms to providing “Risk Information”. Risk mitigation then becomes an outcome of the Risk Information process.
So what is ESRM and where does it apply? ESRM is the practice of managing a security program through the use of risk principles. It’s a philosophy of management that can be applied to any area of security and any task that is performed by security, such as physical security, cybersecurity, information security, business continuity management and investigations.
There is nothing radically new about the components of this practice – however it is the holistic view, the communication and engagement across entire organization(s), and use as a basis for all security related actions that drive its value.
The model is: Assets – Risks – Mitigation – Response -- Learning
- Assets are both tangible (equipment, facilities, people, products, etc.) and intangible (reputation, trust, etc.).
- Risks are the possible outcomes and probabilities and are not the same as threat – threats and vulnerabilities need to be translated to risks. “Risk Information” essentially becomes the common language, e.g. the currency of this practice. Security management becomes more focused on how to reduce risk versus how to become more efficient.
- Mitigations need to be viewed relative to the risks identified (Accept, Transfer e.g. buy insurance, Stop, Mitigate). Mitigation includes the actions/practices of Emergency Preparedness, Physical Security, Cyber Security, and Vulnerability Management to lower risks to more acceptable levels.
- Response is the action initiated to specific incidents (risks that have been realized). Incident response is partly a mitigation tactic – e.g. respond when and if the risk is realized.
- Learning is the root cause analysis, investigations, etc that inform the risk process.
ESRM practice doesn’t discount the importance of tactical actions such as having an access system on doors, but it emphasizes a more strategic pursuit – why are those doors worth protecting, what is the value of the assets inside, what are the risks, what are the alternatives for reducing this risk, and in the example stated, to what degree does the access control lower the risk.
ESRM is a life cycle and long-term continuous process. One of the first practical steps to get started is to utilize a Risk Register to identify and assess risks associated with an asset – this can lead to prioritization of risks and actions ultimately starting to strategically use “Risk Information” in security management.
There is more to learn about ESRM. ASIS Rochester thanks Mr. Brian Allen for providing an insightful overview at the January 2023 meeting.
