As a security professional, have you found that you and others in your company do not always define "security" the same way? Perhaps security interests and business interests have become misaligned. Brian Allen and Rachelle Loyear offer a new approach: Enterprise Security Risk Management (ESRM). By viewing security through a risk management lens, ESRM can help make you and your security program successful.

In their long-awaited book, based on years of practical experience and research, Brian Allen and Rachelle Loyear show you step-by-step how Enterprise Security Risk Management (ESRM) applies fundamental risk principles to manage all security risks. Whether the risks are informational, cyber, physical security, asset management, or business continuity, all are included in the holistic, all-encompassing ESRM approach which will move you from task-based to risk-based security.

How is ESRM familiar? As a security professional, you may already practice some of the components of ESRM. Many of the concepts – such as risk identification, risk transfer and acceptance, crisis management, and incident response – will be well known to you.
How is ESRM new? While many of the principles are familiar, the authors have identified few organizations that apply them in the comprehensive, holistic way that ESRM represents – and even fewer that communicate these principles effectively to key decision-makers.
How is ESRM practical? ESRM offers you a straightforward, realistic, actionable approach to deal effectively with all the distinct types of security risks facing you as a security practitioner. ESRM is performed in a life cycle of risk management including:
- Asset assessment and prioritization.
- Risk assessment and prioritization.
- Risk treatment (mitigation).
- Continuous improvement.

Throughout Enterprise Security Risk Management: Concepts and Applications, the authors give you the tools and materials that will help you advance you in the security field, no matter if you are a student, a newcomer, or a seasoned professional. Included are realistic case studies, questions to help you assess your own security program, thought-provoking discussion questions, useful figures and tables, and references for your further reading.

By redefining how everyone thinks about the role of security in the enterprise, your security organization can focus on working in partnership with business leaders and other key stakeholders to identify and mitigate security risks. As you begin to use ESRM, following the instructions in this book, you will experience greater personal and professional satisfaction as a security professional – and you'll become a recognized and trusted partner in the business-critical effort of protecting your enterprise and all its assets.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes, you can access Enterprise Security Risk Management by Brian Allen, Rachelle Loyear, Kristen Noakes-Fry in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Rothstein Publishing

Year

2017

ISBN

9781944480424

Topic

Business

Subtopic

Insurance

Index

Business

Part 1

Why Enterprise Security Risk Management (ESRM)?

In Part 1 of this book, we will discuss enterprise security risk management (ESRM) by exploring the definition of ESRM: what it is, what it is not, and how it differs from the security approaches that many, if not most, enterprises have in place today.

You will find out why ESRM is emerging as the answer to many of the most urgent problems security professionals face today, especially the frustrations they share with the business leaders of those enterprises they are tasked with securing. You will be prompted to think about what the success of your security program could look like when seen through a risk management lens. Finally, as you begin to use ESRM, you will experience personal and professional satisfaction as a security professional and become a recognized and trusted partner in the business-critical effort of protecting the enterprise and all of its assets.

In This Part:

• What is Enterprise Security Risk Management (ESRM)?

• How Can ESRM Help You?

• How Can ESRM Help Your Security Program?

What is Enterprise Security Risk Management?

This book is about an approach to security that is familiar and yet new, philosophical and yet practical: enterprise security risk management (ESRM).

How is it familiar? As a security professional, you are probably already practicing some of the components of ESRM. Many of the concepts of ESRM – such as risk identification, risk transfer and acceptance, crisis management, and incident response – will be well-known to you.

How is it new? In our many years of experience in the security industry, we have found few enterprises and few security organizations that apply these familiar principles in the comprehensive, holistic way that ESRM represents, much less who communicate them effectively to key decision-makers.

How is it philosophical? ESRM redefines the thinking on role of security in the enterprise, refocusing the security organization’s efforts to work in partnership with business leaders and other key stakeholders to identify and mitigate security risks.

How is it practical? ESRM offers a straightforward, realistic, actionable approach to deal effectively with all the distinct types of security risks facing the security practitioner today.

This chapter will help you to:

• Define ESRM.

• Understand why ESRM is important both for your security program and for the entire security profession.

• Explain how ESRM is different from enterprise risk management (ERM) and why your organization needs both.

1.1 ESRM Defined

We will discuss the meaning and implications of ESRM in depth throughout this book, but first a simple, straightforward definition of the term:

Enterprise security risk management is the application of fundamental risk principles to manage all security risks – whether related to information, cyber, physical security, asset management, or business continuity – in a comprehensive, holistic, all-encompassing approach.

There are three key factors to that definition: enterprise, security risk, and risk principles.

1.1.1 Enterprise

In this book, we use enterprise in the broadest sense of the meaning – a business, organization, or company. That can include:

• Public organizations (municipal, state, and federal).

• Privately held companies.

• Not-for-profit organizations that provide goods, services, or other non-profit activities.

• Stockholder controlled corporations.

When we talk about business, organization, company, or any other similar term in this book, we mean any or all of the enterprises above.

1.1.2 Security Risk

Risk is a very broad term, but ESRM deals specifically with security risk. When we say, “security risk,” we mean anything that threatens harm to the enterprise: its mission, its employees, customers, or partners, its operations, its reputation – anything at all. That could be:

• A troubled employee with a gun.

• An approaching hurricane.

• A computer hacker in another country.

• A dissatisfied customer with access to a social media account and a wide audience.

Security risks take many different forms, and new ones are being introduced all the time. Recognizing those risks, making them known to the enterprise, and helping your enterprise business leaders mitigate them is central to the ESRM philosophy.

1.1.3 Risk Principles

The definition of ESRM states that risks are managed through fundamental risk principles. For that, we will reference an existing body of knowledge on how to manage all types of risk, and then apply it specifically to the security area.

The International Organization for Standardization, in ISO Standard 31000:2009 – Risk Management: Principles and Guidelines, and the American National Standards Institute, in Principles of Risk Assessment, both outline similar, highly effective, standards for risk management. A few examples of key principles from the ISO Standard 31000 (2009) are that risk management should:

• Be part of an holistic decision-making process.

• Be transparent and inclusive.

• Be dynamic, iterative, and responsive to change.

• Be capable of continual improvement and enhancement.

These are just a few points from the standard. The entire standard is quite comprehensive and we will describe more from this risk standard and others throughout this book to show you how to apply these fundamental principles of risk management.

On the surface, the definition of ESRM may sound like what you and your security organization are already doing. In fact, we have heard many people say, on first hearing of ESRM, “I already do that.” But while you are probably already doing some parts of the overall ESRM practice, as you read further you will see how ESRM practiced holistically, according to this definition, is a major departure from traditional, “conventional” security.

Questions for the Security Practitioner

• “What kind of security risks have the potential to cause harm to my enterprise?”

• “Would my manager or the employees who report to me define managing risks the same way I do? What about other leaders in my organization?”

1.2 ESRM Overview

We will get into significant detail about all aspects of ESRM in further chapters. But first, we will take a brief look at the mission and goals of an ESRM program, the steps of the ESRM life cycle, and the role of the security practitioner in an ESRM security program.

1.2.1 ESRM Mission and Goals

To truly succeed, every department of an enterprise needs to fully understand why it exists, and what it does or needs to do for the enterprise it operates within. Security is no exception. Sometimes, as security professionals, we forget to think of our department as a business function, but it certainly is. ESRM, with its risk-based approach, provides a simple, effective way to frame the business mission and goals of the security organization – for ourselves as security practitioners, for the people in our security organizations working to achieve those goals, and for business leaders.

In 2015, ASIS International’s CSO Roundtable group (of which one of us – Brian – was a member at the time) published an early description of ESRM. In their report, the group offered a clear description of the mission and goals of ESRM:

• The mission of ESRM is to identify, evaluate and mitigate the impact of security risks to the business, with prioritized protective activities that enable the business to advance its overall mission.

• The goal of ESRM is to engage with the business to establish organizational policies, standards, and procedures that identify and manage security risks to the enterprise. (Beheri, A., 2015).

When you embrace the ESRM philosophy, the organization you are tasked with protecting will help you identify what they care about and need protected. Then you will be able to assist them, provide input for them, and enable them to make the right decisions to protect their assets and functions. Ensuring that the organization understands that it is in their best interest to partner with security in identifying and mitigating risks is central to ESRM – and to your success as a security practitioner. The process of building that understanding and partnership is a topic that we will keep returning to throughout this book.

1.2.2 ESRM Life Cycle – A Quick Look

ESRM is a cyclical program. Once begun, the cycle of risk management is ongoing, as seen in Figure 1-1. In Part 2 of the book, you will learn more about each of the steps.

1. Identify and Prioritize Assets – Identifying, understanding, and prioritizing the assets of an organization that need protection.

2. Identify and Prioritize Risks – Identifying, understanding, and prioritizing the security threats the enterprise and its assets face – both existing and emerging – and, critically, the risks associated with those threats

3. Mitigate Prioritized Risks – Taking the necessary, appropriate, and realistic steps to protect against the most serious security threats and risks.

4. Improve and Advance – Conducting incident monitoring, incident response, and post-incident review; learning from both successes and failures; and applying the lessons learned to advance the program.

Figure 1-1. The Phases of the ESRM Life Cycle

1.2.3 Your Role in ESRM

Simply put, the role of the security practitioner – your role – in ESRM is to manage security risks. Those three words do encompass some more involved concepts, and that is what you will explore over the course of this book. But, ultimately, everything that the security practitioner, manager, executive, and department does in an ESRM paradigm is done to manage risks to the enterprise, in partnership with department or group leaders who are the stakeholders regarding those risks.

You will notice that we focus strongly on the role of the security practitioner as a manager of risk in all our discussions. That is because, so often, security is not viewed as an enterprise partner, risk manager, and enabler of business operations, but is, instead, viewed as enforcer, rule-maker, task-doer, and (sadly) at times an obstruction to getting things done. In the next few chapters, we will talk about why that is and how ESRM can help you change that view in your enterprise. For now, the key thing to remember is that the role of security in ESRM is to manage security risk.

Questions for the Security Practitioner

• “If I asked my manager or department executive what the role of security is, what answer would I likely receive?”

• “Do I know all of the important assets that need to be protected for my enterprise to accomplish i...

Cover
Title page
Copyright
Dedication
Acknowledgments
Foreword
Table of Contents
Part 1: Why Enterprise Security Risk Management (ESRM)?
Part 2: The Fundamentals of ESRM
Part 3: Designing a Program That Works for Your Enterprise
Part 4: Making ESRM Work for Your Organization
Part 5: An ESRM Approach to Tactical Security Disciplines
Part 6: ESRM Program Performance and Evaluation
Credits
About the Authors