Risk Perspective: Adding resilience to ESRM

As we continue to recover from the global pandemic, there are security practitioners who are embracing a hybrid approach to protecting their organizations — bringing the concepts of Organizational Resilience (OR) into their Enterprise Security Risk Management (ESRM) based programs.

This is a relatively new approach to managing security risks, using a business focus and identifying opportunities to increase the overall resilience of an organization.

The hard-won lessons of those organizations that successfully navigated the pandemic are being revised, retooled and repurposed. Using ESRM as their foundation, a few security professionals I know are now incorporating the concepts of resilience into the programs — developing more robust procedures to ensure their organizations can continue to operate regardless of the conditions they’re facing.

It’s an interesting blend of disciplines. Incorporating the concepts of resilience into a security program makes sense if we understand how these concepts and practices apply across an organization. Resilience focuses on an organization’s ability to recover from emergent threats, from internal or external sources.

A resilient organization has the capability to survive, and eventually thrive, in times of stress or uncertainty. And resilience impacts all levels of an organization, and considers the culture, resources and routines of the team members across the enterprise.

The parallels to ESRM demonstrate why this combination is such a good fit. A well-designed security program built on the principles of ESRM spans the entire organization and requires security professionals to step outside of their department to interact with the entire organization. Risks are considered regardless of where they originate and the collaboration between the security team and the departments of an organization develops a stronger cultural acceptance of security. Finally, within the ESRM model is the concept of continuous improvement and the ability to detect, react, respond to and recover from a potential incident.

I believe we have an opportunity to mature our ESRM-based programs to include the principles of Organizational Resilience, offering the next generation of security programs to our organizations. This maturity process, though, will take some work to recognize the benefits of combining these two philosophies into one coherent approach to securing an enterprise.

I still know of security professionals struggling to enact a risk-based approach to their security programs, due in part to the culture of their organization or to the reluctance of executives to accept risks affecting their assets. I think we may have a new avenue to pursue in these discussions — leverage the principles of Organizational Resilience and focus on how the department will continue to operate in the face of change.

This means we all have some homework! I envision security professionals seeking out information on Organizational Resilience, what it really is, and how to embrace the principles of yet another philosophy. I can also see these same security practitioners taking a whole new group of organization team members for coffee, to learn what they’re doing to ensure the company is resilient, and how the security team can enable the success of the organization.

We’ve already done so much collaboration in the past, the skills we’ve grown in listening, questioning to understand, seeking confirmation, and designing a collaborative solution are sure to pay dividends as we begin assessing how to incorporate resilience into our programs.

I’m excited to see where this next part of our collective journey will take us. I think over the next few years we’re going to see more information on how OR will help ESRM-based security programs achieve even greater success.

I envision our programs maturing beyond where they are today — something I can’t wait to see!

Tim McCreight is vice-president, business development, Canada, at Apollo Information Systems (tim.mccreight@apollo-is.com).