Risk perspective: Time to grow

During the latter part of June I had the honour of attending the ASIS Board of Directors meeting in Atlanta, Ga.

Before the board meeting, I was also part of the ASIS team that presented an introductory Enterprise Security Risk Management (ESRM) workshop to approximately 40 attendees. It was a great course, full of interesting conversations, opportunities to network with other security professionals, and a chance to create another group of newly-minted ESRM evangelists.

I always enjoy these sessions, spending time with my fellow ESRM instructors and taking security professionals who have never heard of ESRM or a risk-based, business-focused approach to security along a journey of discovery. This session was more special because of one early comment that came to our team.

As a group of instructors, we always do our best to bring those who don’t understand how ESRM can create a successful security program slowly down the path of discovery. We’ve found over the last few years that the best approach is always one of encouragement, helping security professionals realize they are probably using an ESRM approach where they work today, they just didn’t realize it.

We received one amazing comment from a recent attendee. I won’t share the comment verbatim, but the theme of the comment focused on their reluctance to attend, and the realization of how powerful an ESRM-based approach can be. The attendee was interested in the concept of ESRM, but unsure how well it could be taught or absorbed. They stated they weren’t too motivated to attend, but going to Atlanta beat going to another city. They had a preconceived notion that not much could be taught in two days, and were unsure of how to use ESRM within their own organization.

I was pleasantly surprised to read how quickly their mindset changed, and that they truly saw the benefits of an ESRM based security program. They appreciated the efforts of the instructors, and were eager to apply the principles to their own organization. All of that occurred in just two days!

I realize you can’t validate a program on just one person’s comments, but this attendee summed up many others comments regarding ESRM, and the benefits we can realize as security professionals. Over the past few years I’ve enjoyed teaching ESRM at GSX for ASIS, and speaking on ESRM topics at a number of conferences and seminars. I do remember there were some dark times, when I didn’t think we’d ever embrace ESRM or see how we could change, and become a profession based on risk. I wrote the same thoughts in this column a little while ago, expressing my frustration and concern for our industry, and my misgivings that security folks weren’t appreciating the benefits of ESRM.

Time brings change. I see now we’re adjusting our perspectives, focusing on security really becoming a business partner able to help organizations achieve their success. I’m seeing this change within my organization and have started teaching my team the principles of ESRM. And I saw the commitment from ASIS regarding ESRM — how this organization is embracing the ESRM philosophy and integrating it into every corner of the business.

I’ve never been a very patient person! In the past, I would become frustrated with the pace of change, always wanting things to happen sooner than later. As I’ve matured in both my career and age, I’m now able to appreciate what time can do and to give ESRM more room to grow. I’m glad the industry didn’t give up on ESRM either. We’re both better for it being around.

Tim McCreight is the manager, corporate security (cyber) for The City of Calgary (www.calgary.ca).

This story was featured in the Summer 2019 edition of Canadian Security magazine.