Revisiting risk at GSX

I recently had the honour of attending GSX 2022 in Atlanta, Ga.

It was such an amazing experience to physically meet other security professionals, attend some great education sessions, and visit the show floor to see the latest and greatest technology and products.

What struck me this year was the focus on risk. I saw it in brochures and on booth walls, I heard it in the lineups for coffee, and found so many educational sessions focused on risk. It was a bit overwhelming — or maybe it was just being in large crowds after so many years!

It was comforting to see how the concepts of Enterprise Security Risk Management (ESRM) permeated through education sessions and vendor presentations. I saw new ways of recording and assessing both physical and cyber risks, and learned how Operational Technology (OT) risks are now a critical part of the risk landscape for many organizations. We didn’t have these conversations a decade ago, or if we did, they weren’t as mature as the ones I experienced at GSX 2022.

How did we find ourselves in this place, so many years after those first forays into ESRM?

Part of the credit goes to the authors of our first text books on ESRM — Brian Allen and Rachelle Loyear. I had the good fortune to spend time with both of them during GSX 2022 and thanked them for their amazing contributions to security. Without their knowledge, experience and books I don’t think we’d have the body of knowledge we see today on ESRM. Again, to both Brian and Rachelle – thank you!

We can thank some recent legislation across North America and globally for highlighting the need to look at security through a risk-based lens. I’ve reviewed a number of legislative and regulatory updates targeting critical infrastructure that specifically used risk language in proposed updates. I was impressed with the overall goals of the legislative changes, and the realization that security should be focused on reducing risks — not measuring compliance.

But one of the changes I’m most proud of is how security professionals are now actively discussing risk, or looking to embrace a risk-based approach to their security programs. It was really interesting for me this year to hear conversations from other folks in sessions, hallways, and on the trade show floor talking about risk. That was very rewarding.

I think we’re finally moving in a risk-based direction. I feel like the security profession is now open to embracing the concept of risk — something I couldn’t say many years ago when I first started writing this column. I had a number of attendees track me down and thank me personally for sessions I’ve held in the past, or articles I’ve written about ESRM.

I got a chance to hear their stories, how they changed their security program and the successes they had along the way. I also heard their struggles and felt their pain as they talked about the missed steps along their journey. We realized that our journeys are never straightforward and that we can always learn from our experiences — embracing the concepts of Design Thinking!

It was a unique experience for me, getting ready to become the ASIS 2023 President and evolving into a new role within my organization. To see the changes to our industry as we move (albeit slowly) toward a profession, or at the very least more professional. And to meet so many new ESRM evangelists from across the globe.

It’s comforting to know there’s now a chorus of voices spreading the word about ESRM, and that you’re no longer alone.

Tim McCreight is the national director, market development and strategic advisory at CGI (www.cgi.com).