Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security
$24.99
Is security management changing so fast that you can’t keep up? Perhaps it seems like those traditional “best practices” in security no longer work? One answer might be that you need better best practices! In their new book, The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, two experienced professionals introduce ESRM. Their practical, organization-wide, integrated approach redefines the securing of an organization’s people and assets from being task-based to being risk-based.
In their careers, the authors, Brian Allen and Rachelle Loyear, have been instrumental in successfully reorganizing the way security is handled in major corporations. In this ground-breaking book, the authors begin by defining Enterprise Security Risk Management (ESRM):
“Enterprise security risk management is the application of fundamental risk principles to manage all security risks — whether information, cyber, physical security, asset management, or business continuity — in a comprehensive, holistic, all-encompassing approach.”
The Essentials of Risk-Based Security For Your Enterprise
In the face of a continually evolving and increasingly risky global security landscape, this book takes you through the steps of putting ESRM into practice enterprise-wide, and helps you to:
Differentiate between traditional, task-based management and strategic, risk-based management.
See how adopting ESRM can lead to a more successful security program overall and enhance your own career.
Prepare your security organization to adopt an ESRM methodology.
Analyze and communicate risks and their root causes to all appropriate parties.
Identify what elements are necessary for long-term success of your ESRM program.
Ensure the proper governance of the security function in your enterprise.
Explain the value of security and ESRM to executives using useful metrics and reports.
Throughout the book, the authors provide a wealth of real-world case studies from a wide range of businesses and industries to help you overcome any blocks to acceptance as you design and roll out a new ESRM-based security program for your own workplace.
by Brian Allen, Esq., CISSP, CISM, CPP, CFE and Rachelle Loyear, CISM, MBCP
Kristen Noakes-Fry, ABCI, Editor
ISBN 978-1-944480-25-7 PDF
ISBN 978-1-944480-24-0 EPUB
ISBN 978-1-944480-52-3 PRINT
November, 2016. 138 pages.
About the Authors
Brian Allenhas more than 20 years’ experience in virtually every aspect of the security field. He most recently held the position of Chief Security Officer (CSO) with Time Warner Cable (TWC), a leading multinational provider of telecommunications, information, and entertainment services headquartered in New York City. In this role, he was responsible for protecting TWC’s assets worldwide, coordinating the company’s crisis management and business continuity management (BCM) programs, managing TWC’s cybersecurity policy and leading its security risk management program. He managed the company’s security policy and relations with law enforcement and government authorities, as well as all customer security risk issues, oversaw internal and external investigations, and headed the company’s workplace violence program.
Before joining TWC in January 2002, he was Director of the Office of Cable Signal Theft at the National Cable and Telecommunications Association in Washington, D.C., and the owner of ACI Investigations, a multimillion-dollar provider of security guard, investigations, and consulting services.
Brian earned his Bachelor of Science degree in criminal justice from Long Island University and received his Juris Doctor degree from Touro Law Center in New York. He is a member of the New York State Bar Association, a Certified Protection Professional (CPP) with ASIS, a Certified Information Systems Security Professional (CISSP) with ISC2, a Certified Fraud Examiner (CFE) with the ACFE and a Certified Information Security Manager (CISM) withISACA. Brian is also a member of the International Security Management Association and the Association of Threat Assessment Professionals.
Brian is an Adjunct Professor at the University of Connecticut, School of Business MBA Program and is active in industry organizations. He served as a member of the Communications Infrastructure Reliability and Interoperability Council (CSRIC), an FCC appointed position, and co-chaired its working group on Cybersecurity Best Practices and the Cybersecurity Framework. He is also one of four elected communications company representatives to serve on the Executive Committee of the US Communications Sector Coordinating Council (CSCC). He works with the Cross Sector Cybersecurity Working Group, established by the U.S. Department of Homeland Security (DHS) under the Critical Infrastructure Partnership Advisory Council.
Brian has served on the board of directors of ASIS International, and the board of trustees of ASIS International’s Foundation. He is currently a member of the Board of Directors of the Domestic Violence Crisis Center in Connecticut.
Rachelle Loyear has spent over a decade managing various projects and programs in corporate security organizations, focusing strongly on business continuity and organizational resilience. In her work life, she has directed teams responsible for ensuring resilience in the face of many different types of security risks, both physical and logical. Her responsibilities have included: Security/BCM program design and development; crisis management and emergency response planning; functional and location-based recovery and continuity planning; crisis management and continuity training and operational continuity
exercises; and logistical programs, such as public/private partnership relationship management and crisis recovery resource programs.
She began her career in information technology (IT), working in programming and training design at an online training company, prior before moving into the telecommunications industry. She has worked in various IT roles – including Web design, user experience, business analysis, and project management – before moving into the security/business continuity arena. This diverse background enables her to approach security, risk, business continuity, and disaster recovery with a broad methodology that melds many aspects into a cohesive whole.
Rachelle holds a bachelor’s degree in history from the University of North Carolina at Charlotte, and a master’s degree in business administration from the University of Phoenix. She is certified as a Master Business Continuity Professional (MBCP) through DRI International, as an Associate Fellow of Business Continuity International (AFBCI), as a Certified Information Security Manager (CISM) through ISACA, and as a Project Management Professional (PMP) through the Project Management Institute (PMI). She is active in multiple BCM industry groups, and is vice-chair of the Crisis Management and Business Continuity Council of ASIS International as well as serving on the IT Security Council.
Table of Contents
Cover
Title Page
Copyright
Part 1: What Is Enterprise Security Risk Management (ESRM) and How Can It Help You?
Chapter 1: What is Enterprise Security Risk Management (ESRM)?
1.1 ESRM Defined
1.1.1 Enterprise
1.1.2 Security Risk
1.1.3 Risk Principles
1.2 How is ESRM Different from Traditional Security?
1.2.1 Traditional Corporate Security Scenarios: Something is Missing
1.3 What is ESRM? − A Closer Look
1.3.1 The Phases of the ESRM Life Cycle
1.3.2 Managing Risk in a Life Cycle
1.4 What ESRM Is – and What It Is Not
1.4.1 ESRM Mission and Goals
1.4.1.1 Enterprise Risk Management: A Brief Overview
1.4.2 ESRM vs. Security Organization Convergence
Chapter 2: Why Does the Security Industry Need ESRM?
2.1 Why Does the Traditional Approach to Security Frustrate So Many People?
2.1.1 The Missing Network Switch: A Story of Security Frustration
2.1.2 The Missing Network Switch: A Story of Security Partnership
2.1.3 The Missing Network Switch: Lessons Learned and the ESRM Difference
2.2 What Do We Mean by “Traditional” Security vs. ESRM?
2.2.1 What Does Security Do? The Traditional View
2.2.1.1 The Answer from the Security Practitioner
2.2.1.2 The Answer from the Board of Directors and Senior Executives
2.2.1.3 The Answer from Operational Personnel
2.2.2 Why the Security Industry Needs to Define “Security”
2.2.3 What Does Security Do? The ESRM View
2.2.3.1 Managing Security Risks
2.2.3.2 Basic Risk Principles
2.3 The Security Professional and the Business Leader: Moving Beyond Frustration
2.4 ESRM-Based Security: Moving from Task Management to Risk Management
2.4.1 Task Management
2.4.2 Risk Management
2.5 The ESRM Solution: A New Philosophy
2.5.1 Security Becomes Strategic
2.5.2 Security Becomes a Business Function
2.6 ESRM as a Path to Security Success
2.6.1 What Does “Security Success” Look Like?
2.6.1.1 Success Is Not Just Measured by Numbers
2.6.1.2 In Security Success, Intangibles Are Important
2.6.1.3 Your Answers Create Your Definition of “Success”
Part 2: Implementing an ESRM Program
Chapter 3: Preparing to Implement an ESRM Program
3.1 Begin by Working to Understand the Business and Its Mission
3.1.1 What Are the Insiders Saying?
3.1.2 What is the Business Saying About Itself?
3.1.3 What Are Outsiders Saying?
3.1.4 What Isn’t Being Said?
3.1.5 What Is the Environment the Enterprise Operates In?
3.1.6 Who Are the Environmental Decision-Makers?
3.2 Understanding Your Stakeholders − and Why They Matter
3.2.1 What Is a Stakeholder?
3.2.2 Why Should You Care About Stakeholders?
3.2.3 What Is the Role of the Stakeholders in ESRM?
3.2.4 Finding Your Stakeholders: A Closer Look
3.2.5 Example 1: Customer Personal Data − Whose Asset Is It?
3.2.6 Example 2: Customer Personal Data − Who Decides
Chapter 4: Following the ESRM Life Cycle
4.1 What is the ESRM Life Cycle?
4.2 Step 1: Identify and Prioritize Assets
4.2.1 How Do You Identify Business Assets?
4.2.2 Who Really “Owns” an Asset?
4.2.3 How Do You Assign Value to Assets?
4.2.3.1 Simple Tangible Asset Valuation (Two Methods)
4.2.3.2 Complex Tangible Asset Valuation
4.2.3.3 Intangible Asset Valuation
4.2.3.4 Business Impact Analysis (BIA)
4.2.4 How Do You Prioritize Assets for Protection?
4.2.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?
4.3 Step 2: Identify and Prioritize Risks
4.3.1 How Do You Assess Risk?
4.3.2 How Do You Find All the Risks?
4.3.3 How Do You Prioritize Risk?
4.4 Step 3: Mitigate Prioritized Risks
4.4.1 Risk Treatment Options
4.4.2 Who Has the Final Word on Risk Mitigation?
4.5 Step 4: Improve and Advance
4.5.1 Incident Response
4.5.2 Root Cause Analysis
4.5.3 Ongoing Security Risk Assessment
Chapter 5: Phased Rollout
5.1 Design Thinking – A Conceptual Model for Your ESRM Program
5.1.1 The Phases of Design Thinking
5.1.1.1 Empathy
5.1.1.2 Definition
5.1.1.3 Ideation/Brainstorming
5.1.1.4 Prototyping
5.1.1.5 Testing
5.2 Iterative ESRM Program Rollout in a Formal Design Thinking Model
5.2.1 Educate and Involve (Empathy)
5.2.2 Iterate (Your Definition and Prototypes)
5.2.3 Mature the Process (Testing/Feedback)
5.2.4 Expand (Begin the Design Thinking Process Again with a Larger Scope)
5.3 ESRM Program Rollout Checklist
Part 3: Ensuring Long-Term ESRM Success
Chapter 6: Essentials for Success
6.1 Transparency
6.1.1 Process Transparency
6.1.2 Risk Transparency
6.2 Independence
6.3 Authority
6.4 Scope
6.4.1 Example: Risk Management in Scope with Mitigation Actions by Security
6.4.2 Example: Risk Management in Scope with Mitigation Actions by the Business
Chapter 7: ESRM Governance, Metrics, and Reporting
7.1 What is Corporate Governance?
7.1.1 Why Corporate Governance Is Complex
7.1.2 Importance of OECD Guidelines
7.2 How Does Corporate Governance Apply to ESRM?
7.3 The Security Council’s Role in ESRM
7.4 Setting Up a Security Council
7.4.1 Security’s Role on the Security Council: What It Is and What It Is Not
7.4.1.1 What the Role of the Security Practitioner Is
7.4.1.2 What the Role of the Security Practitioner Is Not
Chapter 8: Where Should Security Report in an Organization Structure?
8.1 Reporting Options
8.2 What Does Security Need to Be Successful?
8.3 Some Lines of Reporting Carry Obvious Conflicts
8.4 Greatest Success Comes with the Greatest Independence
Chapter 9: What Do Executives Need to Know About ESRM?
9.1 The Challenge of Executive Support
9.2 Communicating ESRM Concepts to the Executive
9.2.1 For the Executive: Understand the Underlying Philosophy of ESRM
9.2.2 For the Executive: Understand ESRM Parallels
9.2.2.1 For the Security Practitioner: What Are Audit, Legal, & Compliance?
9.2.2.2 For the Security Practitioner: What Do Audit, Legal, and Compliance Functions Need for Success?
9.3 For the Executive: What is Your Role in Supporting an ESRM Security Structure?
9.3.1 Ensuring a Definition of Security Success
9.3.2 Ensuring the Correct Security Skill Sets
9.3.3 Ensuring the Essentials for Success Are in Place
9.3.4 Ensuring the Correct Reporting Structure
9.3.5 Ensuring the Board or Enterprise Ownership is Aware of the Role of Security and Security Risks as a Business-Critical Topic
9.4 For the Executive: What Should You Expect from the ESRM Program?
Chapter 10: Reports and Metrics
10.1 Metrics of Risk Tolerance
10.1.1 Example of a Security Report
10.1.1.1 Planning the Report
10.1.1.2 Building the Report
10.2 Metrics of Security Department Efficiency
10.3 Communicating to an Executive Audience
10.4 A Look into the Future – A Successful ESRM Program
References
Credits
About the Authors
Excerpts
Part 1: What Is Enterprise Security Risk Management (ESRM) and How Can It Help You?
This part will help you to:
Understand what is meant by Enterprise Security Risk Management.
Explain the difference between traditional, task-based management and strategic, risk-based
management.
Understand and overcome some of the blocks to effective relationships with enterprise
leaders.
See how adopting ESRM can lead to a more successful security program overall and
enhance your own career.
Part 2: Implementing an ESRM Program
This part will help you to:
Prepare your security organization to adopt an ESRM methodology.
Follow the ESRM life cycle steps to more effective security management.
Design and roll out a new ESRM-based security program in your enterprise.
Part 3: Ensuring Long-Term ESRM Success
This part will help you to:
Understand what elements are necessary for long-term success of your ESRM program.
Ensure the proper governance of the security function in your enterprise.
Explain the value of security and ESRM to executives using useful metrics and reports.
1.2 How is ESRM Different from Traditional Security?
The description of ESRM above may sound somewhat like what you and your security organization are already doing – and the fact is, you probably are already doing some parts of it. So let’s take a look at what makes ESRM such a radical departure from traditional, “conventional” security. To do that, we need a baseline understanding of what traditional security is – and what it is not.
These days, security practitioners are often too busy dealing with threats and vulnerabilities and other urgent operational problems to ask themselves basic questions about what they do and why they do it.
Questions like:
What is my role in the business environment, beyond the specific security tasks I’ve been
assigned?
Why are the tasks I do every day necessary for the enterprise?
How is what I do perceived in the organization?
What is the mission my department is chartered to accomplish?
That’s a serious problem, because in security, as in every other business discipline, if you aren’t sure what you’re trying to accomplish – why you’re doing what you’re doing – you can’t be sure you’re doing it right. And, just as important, you can’t be sure that you’re being recognized by the management in your organization as doing it right.
3.2.2 Why Should You Care About Stakeholders?
Why does living an ESRM philosophy require identifying your stakeholders? What is the advantage to understanding your stakeholders before beginning to build out an enterprise security program or any individual security project? The answer, one that we’ll be returning to again and again, is that these are the people who must accept the risk to the business of implementing – or not implementing – any security recommendations you make.
If you identify your most influential stakeholders early on and get their input to shape the goals, posture, and architecture of your program or project, your relationship with the stakeholders will help to:
Ensure their support and improve the quality of the program or project model.
Ensure that goals align with the needs of major stakeholders – helpful for the project and overall program at budget time. Let’s be realistic: You can’t make your program a success without the necessary resources, and those stakeholders don’t just own the assets you’re trying to protect. They also, in many cases, hold the purse strings.
Ensure that they fully understand the security program, its roles and responsibilities, and its overall benefits. And stakeholders who understand the program – and especially stakeholders who have already had input into it – are far more likely to support it and give it priority over other, competing business pressures.
Encourage these stakeholders to increasingly seek you out as a trusted partner to assist in risk identification and risk mitigation planning, one of the most fundamental indicators of ESRM success.
Discover points of conflict or competing objectives among your stakeholders early, and develop strategies for resolving problems that might arise from these competing objectives.
These aren’t the only reasons, but they’re definitely some of the most important ones. It is essential in any security project to identify the individuals and groups within the business who will contribute to or be impacted by the projects, identify those who have something to gain and something to lose from any implementation, and then develop a strategy for dealing with them (Bourne, 2008). Stakeholders are essential decision-makers. Their level of risk acceptance is important to your ESRM program because ESRM is both art and science. It requires that you balance an extraordinary range of security and risk priorities, protecting the business against threats while still allowing it to function. To take an extreme example, the simplest, and possibly the most effective, way to protect a building is simply not to allow anyone into it or near it. But of course that’s almost always out of the question, because it would completely choke off the business’s ability to operate and meet its objectives.
For example, in a retail environment, the business accepts the risk of allowing unknown persons into the location. It’s not up to you as a security practitioner to say that risk is or isn’t worthwhile. That decision must be made by the retail heads and other stakeholders. Your role is to listen to them, then design and implement security measures that they believe address their risks without impinging too far on their mission of selling products to customers. These measures may be as simple as security cameras to record activity in some locations, or as stringent as glassed-in enclosures to protect employees who are handling large amounts of cash or other valuables. The key to ESRM success, here as in the other types of businesses we’ve discussed, is to balance the need for acceptable security risk protections against the needs of the business and the people who make it work. That balance and deciding the tipping point is the realm of stakeholder risk acceptance and a major part of the art and science of ESRM practice.
Reviews
Book Review: The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security.
10 March 2018 by Brian J. Allen, CPP, and Rachelle Loyear. Reviewed by Rachid Kerkab
Appears InMarch 2018Print Issue Security Management, a Publication of ASIS International
Rothstein Publishing; Rothstein.com; ebook.
The security landscape is evolving at an enormous speed. Volatility, uncertainty, complexity, and ambiguity are the new normal. So, how do you address security challenges in such an environment? The answer is through enterprise security risk management (ESRM), an integrated risk-based approach to managing security risks. It brings together cyber, information, physical security, asset management, and business continuity. ASIS has made ESRM a global strategic priority.
In the Manager’s Guide to Enterprise Security Risk Management, authors Allen and Loyear provide a comprehensive overview of the principles and applications underlying the ESRM philosophy. They set the stage in the first part of the book with an introduction to ESRM and share some important insights on the differences between traditional security and the ESRM approach, illustrating their points with examples.
The second part of the book guides the reader through the implementation of an ESRM program. One excellent chapter promotes design thinking as a conceptual model for ESRM. A design thinking approach can provide a unique platform for innovation and overcoming new security challenges.
Finally, the book provides insights and strategies to ensure the success of the ESRM program. It explains what an executive needs to know about ESRM, and gives readers the tools to succeed.
In sum, this guide accomplishes exactly what it set out to do—provide security leaders and managers with the principles and applications to explore, design, implement, and secure the success of an ESRM program.