First things first
By Tim McCreight
The move to Enterprise Security Risk Management, or ESRM, is a significant journey for organizations looking to reap the benefits of a risk-based, business focused approach to securing assets across the enterprise.
By Tim McCreight
ESRM requires a change in our approach, from “doing security” to becoming a strategic partner at the executive level. This change isn’t without effort, and organizations looking to adopt ESRM philosophies must peer inward to determine their readiness to embrace ESRM.
A recent webinar hosted by ASIS International and Resolver identified several critical components for a successful ESRM implementation. One of the often-overlooked aspects of deploying an ESRM program across an enterprise is the readiness of the organization to embrace the concepts of ESRM.
For any type of enterprise-wide program to be successful, organizations must be ready to change. Implementing an ESRM program is no different. We need to ensure our organizations are willing to focus on risks from an enterprise perspective. This means our companies should be at a maturity level high enough to appreciate the benefits ESRM brings to an enterprise.
We can advocate the development and implementation of an enterprise-wide ESRM, but if our companies are struggling to simply identify their assets, implementing an ESRM program may not be beneficial at that point in time. Nothing sets a security professional up for failure faster than misreading the ability of our companies to accept new approaches to reducing risks. I’ve been in this position in past lives, and it’s not a great place to be – trust me.
As security professionals, we need to be open, honest and transparent in identifying our internal processes, policies, procedures, standards, and most importantly, culture. We need to conduct a collaborative assessment with business leaders and their departments to better understand our company’s ability to change, to absorb new ways of focusing on risks. We also need to assess what types of training will be required to implement an ESRM across the organization.
Educating business leaders, department directors, line managers and employees on the benefits and goals of an ESRM program is a critical key to success. The time we take to inform our organization on how we plan on developing and implementing ESRM, as well as the critical role they play within the program, can potentially reduce future issues and concerns.
I’ve had the opportunity to work through the design and development of an ESRM in past lives. It was an eye-opening experience! During the development of one program, I made the mistake of jumping immediately to recording risks without truly educating the organization on the goals and objectives of the ESRM program. I began by setting up workshops, identifying assets, going through risk scenarios and assigning impacts to risks I identified. I spent time looking at data, assessing the likelihood of a risk becoming a reality, and preparing remediation efforts – unfortunately, all in a vacuum.
I learned that you can’t be successful in developing an ESRM program if you don’t spend time up front explaining the benefits ESRM can bring to your organization. I also realized that adopting ESRM, while vitally important to the role of a security professional, may not be as important to other business leaders. Some of the hardest lessons I learned from my experience was the value of developing a thoughtful and comprehensive education and awareness program.
Don’t let these comments from my past experiences dissuade you from developing an ESRM program! We need to begin the ESRM journey in all our organizations – I just want to ensure you’re starting in the right place.
Tim McCreight is director, advisory services at Above Security (www.abovesecurity.com).