In the course of a security career that now stretches back decades, I’ve spoken with hundreds and hundreds of security practitioners. They were people in very different roles, with very different backgrounds, and at very different stages in their careers — everyone from chief security officers (CSOs) at Fortune 500 companies, to cybersecurity experts, to retired police officers managing physical security at manufacturing plants and warehouses. I’ve heard them talk about their experiences, their best practices, their satisfactions and their frustrations. I’ve learned something valuable from my conversations with every single one of those people, and I’ve distilled those lessons into a new, comprehensive approach to the theory and practice of security, called Enterprise Security Risk Management (ESRM).
I believe ESRM has the potential to completely transform the practice of security. ESRM principles can change the way we do our jobs, the way we see our roles and the way others see them, and the ways we protect our enterprises, their assets, and their employees. And ESRM can help us in our careers, by increasing our personal and professional satisfaction and by ensuring that security is seen — as it deserves to be — as a professional discipline.
I believe so deeply in ESRM that along with my longtime colleague Rachelle Loyear, I’ve written a book about it: Enterprise Security Risk Management: Concepts and Application, to be published by Rothstein Publishing in October. It’s why I speak about ESRM at industry conferences, offer presentations about it to boards of directors and senior executives, and write about it in industry publications. And it’s why I’ve created this blog, to act as a resource for security practitioners who want to advance the practice of security, to advance the way security is perceived and — of course — to advance their careers.
So what is ESRM, exactly?
ESRM is the practice of managing a security program through the use of risk principles. It’s a philosophy of management that can be applied to any area of security and any task that is performed by security, such as physical security, cybersecurity, information security, business continuity management and investigations.
Now, there’s nothing exactly new about any of the specific components that make up that definition. ESRM is based on long-established, internationally recognized risk management concepts and principles. But in the real world, those concepts and principles are almost never applied across the entire enterprise, comprehensively and holistically, to every aspect of the enterprise that’s impacted by security — which, as we all know, means every aspect of the enterprise. That’s what ESRM is designed to do.
ESRM changes the security function completely – transforming it from a set of tasks to a role.
When ESRM principles are applied, the security function changes completely — from a set of tasks, performed discretely, to a role. It’s no longer about checking IDs at entrance gates, or installing antivirus software, or trying to keep employees from stealing from retails stores. That doesn’t mean those functions aren’t important anymore. But it does mean that when they’re performed, they’re performed for a reason. ESRM means security decisions are made by the right person, with the right authority and accountability, and for the right reasons — reasons based on defined risk principles.
What does this mean in practice? In its simplest terms, it means that instead of just “doing security” the way we always have, we first ask ourselves some fundamental, and fundamentally important, questions. Here are a few of the most basic:
- “What’s the asset we need to protect?”
- “What’s the risk associated with that asset?”
- “Who’s responsible for that risk?”
- “How should we mitigate the risk, and how should we respond if the risk becomes a reality?”
Once we start asking ourselves, and others, those questions, the discrete security tasks we’ve been performing begin to make sense as part of a comprehensive security and risk management framework. We’re no longer just making sure the gates of the assembly plant are secure. We’re working toward an understanding of why they need to be kept secure, what’s inside the plant that needs to be protected, who will be impacted if our security measures fail, and what additional or different measures we might need to take. In other words, we know why we’re doing what we do, and that means we can do it better — a lot better.
Whatever your current role, whatever kind of enterprise you work for, wherever you want your career to take you, there are certain things I’m sure you want. You want to be able to do your job to the best of your abilities. You want to be seen as a problem-solver, not somebody who keeps other people from doing their jobs. You want to be seen as a partner by your peers in the business. And, of course, you want to be taken seriously as a professional, and you want security to be taken seriously as a profession.
ESRM is the key achieving all these goals. In upcoming blog posts, I’ll be talking in far more detail about exactly who can benefit from ESRM principles, and how. But for now, I’ll leave you with a very simple, very important message: It’s not just the security practitioner. Yes, ESRM offers a path to personal and professional satisfaction to security professionals of all kinds. But it can help your business partners in the enterprise. Just a few examples: the plant manager working to keep the supply chain up and running, the HR personnel trying to make sure the work environment is safe, and the corporate communications professional worrying about the enterprise’s reputation in the community.
Who can benefit from ESRM? Everyone.
The reality is, ESRM can benefit everyone, in every role, in every industry. And that’s why I’ve started this blog, to serve as an ESRM resource, and to maintain an ongoing dialogue about ESRM principles and practices. I hope to hear from you, and learn from you, soon.