Canadian Security Magazine

Are we ready?

By Tim McCreight   

News Opinion Risk Perspective COVID-19 Enterprise Security Risk Management (ESRM) isc west The City of Calgary

Adopting an ESRM framework to manage today and face the future

COVID-19 continues to alter the course of our plans for 2020.Even while we watch some areas of the globe ease restrictions, we’re seeing the resurgence of the virus in areas that perhaps went too far, too fast. We all want to get back together, to increase our personal “bubble,” add people to our close cohort, be able to feel “normal” again.

That’s not going to happen for the foreseeable future. There is no vaccine developed yet to battle COVID-19, and the surges in case counts across the globe reminds us that a second wave (or more) of this virus is on the horizon.

In our profession, we’ve seen changes to events we all look forward to attending every year. The annual GSX event for ASIS is now virtual, as is ISC West. We’re also seeing conferences across the different specialties of security turn to virtual events to try to keep professionals informed and engaged.We’ve had to quickly adjust to this new normal — using virtual platforms to connect, share ideas and experiences. We’re able to collaborate over Microsoft Teams, sit in on Zoom conferences, and use FaceTime or Messenger to catch up over a virtual coffee.

But are we ready for this change? Have we embraced the notion that we can be functional in a COVID-19 world? How can we continue with this new approach for the next six months or a year? How do we remain effective if we have to work remotely and maintain social distancing?


I’ve been impressed watching security professionals in my organization adjust and thrive in this altered version of normal. Our Enterprise Security Risk Management (ESRM) based security program continues to grow, even during a pandemic. Our departments are using Microsoft Teams and other avenues to continue assessing risks against our assets. We’re able to build on the work we began last year, migrating to an ESRM framework, and accelerate the launch of our technical platform to record and assess risks. Our security teams have become very creative in their approach to dealing with clients, conducting interviews, assessing risks, and providing mitigation strategies. Their virtual meeting skills have increased dramatically, and I’m seeing how efficient they’ve become managing their tasks and time.

During our immediate response to COVID-19 we asked all our staff who could work from home to do so as long as practical. By the early part of April, we saw an 1,800 per cent increase in the number of users logged in remotely to our systems. We worked closely with our information technology department to identify additional risks this sudden surge in remote connectivity posed to our networks, and implemented controls to reduce these risks. Our cybersecurity team then started to automate their response to the increased number of phishing attacks and malware campaigns that tried to capitalize on COVID-19.

Our physical security teams remained customer-facing during our COVID-19 response. Whether they were repairing a card access panel or conducting mobile patrols of our facilities, these professionals continued to address our physical security requirements while following strict health and safety protocols. To date, we have provided our critical services (and more) by continually addressing risks facing our team, our employees and our citizens.

I am amazed at how our team can now assess the risks facing our people, property and assets and then collaborate with other departments to reduce these risks. We’re not researchers trying to find a vaccine, or health care workers helping you recover, but using an ESRM approach has given me hope, and we’re ready for what’s next.

Tim McCreight is the acting chief security officer for The City of Calgary (

Print this page


Stories continue below