The risk resolution
By Tim McCreight
We’ve all made New Year’s resolutions.
By Tim McCreight
Some are small, some are grandiose and others are just downright crazy! I took some time to work on a resolution for our profession — let me know what you think.
This year, we resolve to focus on the principles of Enterprise Security Risk Management (ESRM) in our every day approach to protecting the people, property and information of our organizations. We realize our goal is to understand the goals and objectives of our business, and then identify the assets that support these goals.
When we talk to our business leaders and organization stakeholders about potential risks to these assets, we’ll make sure we listen to their concerns, document their points and opinions, and assess the risks facing the assets using a sound, repeatable process. Once we’ve had the opportunity to assess these risks, we will create mitigation strategies to reduce the risks as best we can, let the business determine the path to success, and document the risk decisions.
We’ll make sure we have a risk management program in place, develop incident response procedures for the organization, and ensure we create a closed loop by conducting post mortem reviews of incidents, and incorporating that feedback into our processes.
That’s quite the resolution! But it encompasses all we want from a risk-based approach to a security program. And 2019 is a year when we’re going to see progress toward this philosophy. I’m optimistic about this approach because I’ve seen the ESRM philosophy appear in a number of different places.
Security professionals I follow on Twitter, LinkedIn and Facebook are outlining projects and initiatives that describe the ESRM approach. I’m seeing conferences highlight ESRM topics and panel discussions that involve new speakers and risk professionals. That means the ESRM message is spreading beyond the original core group of pioneers and practitioners. And ASIS continues to bring forward programs and materials focused on the benefits of ESRM for security professionals and organizations at a global level.
At a local level, I’m seeing the benefits of a risk-based approach expand beyond a handful of companies.
My current organization, along with a number of other local and national teams, have embraced and deployed a risk-based, business-focused approach to security and are realizing the benefits of these programs. Gone are the days when security is seen as the “department of no.” We are now seen as advisors and business professionals who happen to run a security department.
One recent discussion really helped me understand how far we’ve come these past few years. During a project meeting with another team, we collectively began to assess a new initiative and started to look at the “why” of the project. One of the team members (not a security person) asked how the new project was linked back to the organization’s business objectives, and can we identify the risks?
The team member really wanted to know how the project was supporting the goals of the organization, but more importantly what risks could this new project address. That was a pretty amazing moment for me — the message my team has presented for quite some time was mirrored back in a project meeting by someone other than a security professional.
We’ve all made resolutions to try something new, push ourselves to achieve a difficult goal or focus on making a change in our lives. I think this year we can actually do it. I think this year we can change the direction of our profession and move toward the principles of ESRM. It starts today — with you.
Tim McCreight is the manager, corporate security (cyber) for The City of Calgary.
This story was featured in the Winter 2019 edition of Canadian Security.