Risk perspective: ESRM updates from GSX

I’ve just returned from GSX 2019 in Chicago and wanted to reflect on what I saw at ASIS International’s annual event from an Enterprise Security Risk Management (ESRM) perspective.

It was comforting to see the focus placed on ESRM — from classroom sessions to comments in the opening remarks, the profile of ESRM was elevated to a much higher degree this year. That profile was due in large part to the work the teams at ASIS did this year on the ESRM Guideline and maturity assessment tool.

I’m proud to say I was part of these initiatives and was so impressed to see my copy of the ESRM Guideline!

The acceptance of a risk-based, business focused approach this year at GSX was palpable. This isn’t just a theoretical exercise anymore — there were concrete examples from speakers other than me on how successful an ESRM-based program can be. It wasn’t the initial core group of ESRM evangelists trying to spread the word of ESRM, it was a diverse group of practitioners speaking to other professionals on the highlights (and disappointments) of implementing this “new way of doing security.”

As my friend and president elect for the 2020 board term John Petruzzi is fond of saying: This isn’t “business as usual” anymore.

As I settle back into work and continue implementing an ESRM-based approach at my organization, I’ve looked back to see where we’ve been and how we’ve come to this place. It’s been a hell of a journey since the early days of ESRM! Not that long ago, our small cadre of ESRM gurus were struggling to find advocates within the executive ranks to hear our risk-based stories. It was hard to explain that we were here to help, not to accept or endorse risks for our organizations. We faced opposition from other security professionals who didn’t see great value in approaching a security program through a risk lens.

Like the seasons moving from summer to fall, change happens. Sometimes that change was small — getting a meeting with a director to talk to them about risks at their facility or having an asset owner not sign a risk acceptance report, instead ask for help to mitigate the risks. Sometimes it was more significant, like achieving acceptance from executives to continue developing an ESRM-based program and provide regular updates on the progress. These changes occurred quietly, behind the scenes, but they continued to build the body of knowledge and experience we so desperately needed.

Over the past two years, the structure within ASIS adapted to embrace and support ESRM. ASIS volunteers stepped up in a significant way — the volunteers who worked on the ESRM Guideline launched at GSX 2019 number more than 50, and the working group developing the Guideline surpassed 20. That’s an amazing commitment from our profession, considering we only re-ignited ESRM back in 2015.

I feel we’ve turned the corner. The work we’ve put into formalizing a risk-based, business focused approach culminated in the launch of the ESRM Guideline and the maturity matrix tool — two milestones in our journey to enable security as a profession, as trusted advisors to our organizations. I’m not naïve enough to believe we’re finished our work — far from it. I think these two achievements set us up for greater acceptance within our organizations. We can now demonstrate to our executive leadership that we have a security management process — one that truly benefits our organization.

Tim McCreight is the manager, corporate security (cyber) for The City of Calgary (www.calgary.ca).