Canadian Security Magazine

Implementing an ESRM strategy: Keep the faith

By Tim McCreight   

Features Opinion Risk Perspective ASIS calgary esrm

Every ESRM program requires continuous monitoring, awareness and adjustment to keep moving forward.

As I look back on 2018, I try to reflect on what the year has taught me, both personally and professionally. I’ve had an interesting year in both aspects, but I’m not unique. What’s different for me was the discussions I had with security professionals across the globe, and their understanding (and in many cases, acceptance) that a risk-based approach to security can really work.

Earlier this year, I was worried. Worried that I had gambled everything both personally and professionally on Enterprise Security Risk Management. Worried that we, as an industry struggling to become a profession, had placed so much importance on ESRM. We were promoting it every chance we could through ASIS, were highlighting ESRM at sessions across GSX, and I was speaking about ESRM at every conference or event that would have me.

The first half of this year was difficult at times, trying to divine some sort of sign that ESRM was taking hold, that business and security leaders would see the benefits of this “new” approach to developing a security program. Others and I made personal sacrifices, learned hard lessons and had to adjust our own strategies to try to “keep the faith,” hoping that what we had started would begin to take hold, to resonate across enterprise boundaries.

 And then, it started. Gradually at first — a productive client meeting talking about refocusing their existing security program to reflect the principles of ESRM, a well-received presentation or even a call out for help to find resources to run ESRM workshops within a fellow security professional’s company. It was more than just coincidence security professionals I was briefly talking to during the early part of the year were asking for guidance on how to begin developing their own ESRM-based security program these past few months.


The courses and education programs conducted at GSX brought more attention, more focus, and more volunteers to the global ESRM program managed by ASIS. I finally believed things were starting to change for the better. It felt like those first days of spring, when the ice begins melting from the rooflines, and you can feel the warmth of the sun embrace you as you eagerly enjoy a lunchtime walk.

As 2018 draws to a close, I feel a renewed energy and a restored faith that ESRM is really the most effective approach an organization can take to reduce the risks facing their people, property, and information. I’m not trying to preach this as a religion — although I do identify myself as an ESRM evangelist! No, what gives me hope now are the comments, emails and phone calls I get from security professionals I’ve met at a conference, or who have read this article. Folks who are genuinely interested in learning more about ESRM and how it can be incorporated into their organization.

In many ways, I applied the principles of ESRM to my own personal and professional choices. I had to take stock of what was important to me (what are my goals, what are my assets, and what was crucial to my personal and professional success), look at the risks to these assets (challenges to my belief system, struggling to remain positive against difficult situations), and then identify what paths I needed to stay on (or move away from) to achieve my objectives (my personal risk mitigation strategy). It sounds a bit corny, I know. But it’s amazing what can happen when you allow yourself the opportunity to adjust your strategy and deal with your risks.

Tim McCreight is the manager, corporate security (cyber) for The City of Calgary.

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *