Canadian Security Magazine

Necessary next steps

By Tim McCreight   

Features Opinion Risk Perspective annex ASIS enterprise security risk management esrm esrm training Risk Management tim mccreight

Over the past 10 months, we’ve had a chance to explore the concepts of Enterprise Security Risk Management (ESRM) in this column, and at the annual ASIS Seminar held in Dallas this year. It’s been an interesting journey, and we’ve learned so much, but we’ve also seen how far we have to go.

What this year has shown me is that we’re at the cusp of change in the security industry. From sessions with clients, to discussions with other security professionals and meetings with executives of organizations, I’ve seen a desire for change. Our old ways of “doing security” need to change, but we’ve only just started on this path.

The focus at ASIS 2017 highlighted a chance to move our industry to a profession, and to begin addressing the overall security posture of our organizations through the philosophy of Enterprise Security Risk Management. We heard from Scott Klososky, one of the keynote speakers, that very soon we will be identified as simply “security,” and the distinctions we have created between the physical and IT realms will disappear.

We’re still in the nascent stages of this change of the security industry, but the changes appear promising. I had the honour of participating in some of these sessions, and the professionals I talked to after each session appreciated the goals of ESRM and how this framework can help an organization achieve its objectives. I heard first hand how professionals in the field thought about this change in our direction, and I really appreciated those comments.

What we need to do now, though, is ensure we have a consistent framework and taxonomy for ESRM. Any successful change requires strong communication, and supporting information to all levels of an organization. We are no different — we need to ensure that security professionals at all stages of their career, and in all levels of organizations, receive relevant, timely information regarding ESRM and how their role supports the philosophy of ESRM within their organization.

As a security professional, you can also learn more about ESRM and how this framework and philosophy can bring value to your organization and help us develop our profession. There are resources available that describe ESRM, what this framework really looks like, and how you can incorporate ESRM into your existing security program. Search “Enterprise Security Risk Management” and “Brian Allen Rachelle Loyear” to find their book on this topic. It’s a great resource, and their new book (due out very soon!) will have even more practical information for security professionals.

ASIS is working on standardizing ESRM training material throughout 2018 for its members, and the ESRM initiative, sponsored by the ASIS Board of Directors, will provide a structured approach to incorporating ESRM into the DNA of ASIS over the next few years. As material becomes available, take the time to review the information and learn more about ESRM.

I’m excited about the changes I’m seeing, about the direction we’re taking as a profession, and within ASIS. I have a vested interest — I sit on the Board of Directors, and I’m involved with the ESRM initiative. But my excitement comes from seeing where we can go down this path, and where we can be in five to 10 years. I see a time where we are accepted as a profession by our executives, and in the eyes of new graduates from post secondary institutions. I envision a time when young professionals choose security as their career path because they can see how they can become a Chief Security Officer or Chief Risk Officer. And that gives me hope.
Tim McCreight is the director of strategic alliances at Hitachi Systems Security (

Print this page


Stories continue below