Time to change perceptions
By Tim McCreight
During 2017, I watched as our profession and ASIS International began down the Enterprise Security Risk Management (ESRM) path. We declared ESRM as one of our cornerstone objectives, touted its return at our Annual Seminar and Exhibits with sessions and workshops, and structured an ASIS Board Initiative to begin inserting ESRM into the DNA of our society.
By Tim McCreight
Now, the hard work begins.
We need to challenge ourselves to view our work differently. I want to challenge the security professionals reading this column to identify themselves as risk professionals, and look at how their role can help enable their organizations by identifying and managing risks.
I know, some folks are going to say “but, Tim, I’m just a….” and fill in the blank with their current assignment. They may be a security guard at a facility, an information security analyst in a Security Operations Centre, or a loss prevention manager at a retail location. And their perception of their role is they complete a task, or series of tasks, for their employer.
I understand that’s how you get your paycheque, but what if you looked at your current role and figured out how it supports the business objectives of the organization by adopting ESRM principles? Let’s look at just one of the above examples and try to adjust our perception.
You’re a security guard at a building, but can’t link your role to ESRM principles. You have regular tasks to complete: rounds to conduct, facilities to check, reports to write, incidents to report. From an ESRM perspective, what if you looked at your role as continually conducting risk assessments for the physical assets of the organization? What if you considered every tour of the facility as an opportunity to identify potential risks facing the organization, or to ensure that the physical assets the organization needs to operate are available and functioning properly? What if, instead of simply driving around the perimeter fence, you assessed the fence line from a risk perspective? What if you proactively reviewed that same fence line based on ESRM (what are the objectives, what assets do you have, what risks are facing the assets, what can you do to reduce the risk) and reported on potential vulnerabilities, not just its current state?
It seems like such a small change, but it’s a big step toward understanding and embracing ESRM principles and philosophies. These slight adjustments to our perception, to how we view our role as security professionals in an organization, begin the industry’s shift to ESRM. We shouldn’t wait for a new publication, standard, tool or certification to begin this journey — we can take small steps every day in our current roles and begin to see how our “tasks” can be looked at through the ESRM philosophy.
I’m not asking our industry to simply disregard our current mandates, and to not fulfill our contractual obligations to the organizations we serve. That’s not the point I’m trying to make — just the opposite. What I’m challenging security professionals to do, from this point forward, is continue providing their services, but begin seeing their daily tasks through an ESRM lens. This doesn’t involve rewriting contracts with companies or renegotiating job duties. It’s a subtle, practical and pragmatic approach to seeing our world through an ESRM perspective. We need to begin looking at our roles as if we are already engaged with the business, understand the assets required to achieve their objectives, and identify and help manage risks to these assets.
You don’t need to wait any longer — join me on this path in 2018.
Tim McCreight is the president of Risk Rebels Consulting Ltd. (www.riskrebels.com).