Think like a stakeholder
By Tim McCreight
The fun part of any Enterprise Security Risk Management (ESRM) program is starting with some interesting “what if” questions.
By Tim McCreight
As a security professional, you’ve asked these types of questions so many times when you begin a risk assessment: what if there was a flood in the downtown core? What if a fire started in a data centre? What if a forest fire forced you to evacuate your building, and the building burned to the ground? Well, these are questions I have looked at over my career.
The second phase of the ESRM lifecycle focuses on identifying and prioritizing risks to the assets you documented in the first step. This is where a lot of time and effort goes into ESRM — and where some different approaches must be considered by security professionals.
In past lives, I conducted my risk assessments through the lens of a security practitioner. I’d begin “in the parking lot,” starting at the perimeter of my facility and then working my way into the core of a building. It was a very methodical approach, and time-consuming. And it was very security biased — I wasn’t concerned about talking to anyone other than security team members, and I was more worried about the principles of physical security, creating layered defences, and defining clear boundaries to reduce my risk exposure.
Over time, I’ve learned that we need to step out of our role as security professionals, and take on the perspective of other stakeholders across the organization. We need to expand our viewpoints and look at the risk scenarios from someone else’s vantage point.
We should consider how our executives or CEOs would look at the risks we’re uncovering. Would they worry about these risks, or accept them as part of the path to achieving business success? Thinking like a shareholder is another way to challenge our opinion on the risk assessment process, and offers a unique opportunity to look at risk differently.
Another stakeholder group we many times forget is our customer or clients — those who our organizations serve and who buy our products, consume our services, and keep us in business. If we identified several risks facing our organization, and presented them to our customers, what would be their reaction? Would they be concerned if their personal information was compromised, or would they react in a more subdued manner? Would clients be upset if our manufacturing process was copied by a competitor, or would brand loyalty keep them coming back to buy our products? This exercise is a fascinating way of exposing our risk assessment process to a variety of audiences, with different viewpoints and needs.
These different perspectives allow us to look at the value of our assets, and the impact of a threat against the asset, in a variety of ways. If we can consider these different perspectives when we start assessing risks and evaluating our assets, we gain greater insight into the organization than your typical risk assessment exercise. An asset that may be critical to a department may not have any value to a client or the CEO. Using multiple perspectives and viewpoints helps create a more accurate picture of the assets we have and need to protect. This also changes how we will prioritize the risks facing these assets — our goal in using the ESRM framework is to consider all viewpoints during this phase to gain a complete picture of our risk profile. This expanded view lets us work through the prioritizing of risks more effectively, and with fewer debates between the security professional and the organization. Well, hopefully.
Tim McCreight is the director of strategic alliances at Hitachi Systems Security.