36 COVER STORY | BY BRIAN J. ALLEN, CPP

Enterprise security risk management will raise the profile of security from a task-bound trade to one of the key business drivers in the C-suite. 37 SEP 2017 | SECURITY MANAGEMENT

UNTIL RECENTLY, security has been considered a trade, with practitioners fighting for proper standing in the institutions they protect. But the industry is now at a crossroads. Before us lie two paths. One is a continu- ation of the status quo. We may continue to glide down this road, but it is not a self-de- termined path. It has been chosen for us because we have not clearly defined secu- rity’s role. Given this failure to self-define, security has traditionally been defined by others by the task it performs, such as information security, investigations, phys- ical security, or executive protection. This type of definition diminishes the value of the security function; our role is more than just our allocated tasks. The second road is one of self-determina- tion and opportunity. It offers a chance for the industry to advance from a trade to a fully respected profession. On this road, we can take control of the dialogue, shape the conversation surrounding our field, and make our own way forward. As an indus- try—with ASIS taking the lead—we can keep advancing until security is considered a profession. How can we advance on this second road? First we need a clear definition of the role of security in the private sector. We also need a core base of knowledge that supports our understanding of that role, which can be taught—not only to college students, but to transitioning personnel coming into our industry and to our hiring managers. There also needs to be an estab- lished expectation that practitioners will share this knowledge of security’s role and the core competencies associated with it. CRACKEN ASIS International has already started c defining this role through the concept of enterprise security risk management (ESRM). With its embrace of ESRM, ASIS has positioned our industry to travel down the road of opportunity and self-determi- nation, with ESRM as the guiding principle

to help chart our course. M STEVE BY ILLUSTRATIONS 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 38 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101COVER STORY | BY1010110100101110101010010100101 BRIAN J. ALLEN, CPP 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101Not everyone 01001011101010100 in the industry is ready1010110100101110101010010100101 When pursued, these 10100101 questions 1010110 elicit Business 100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101for this journey, however. 10101101001011101010100 For some 1010110100101110101010010100101valuable information, and they can be 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101who may have heard 10101101001011101010100 of the concept but 1010110100101110101010010100101asked of every security-related task. executives in all 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101still 1010110100101110101010010100101 find it vague, questions remain. 10101101001011101010100101 For instance, investigations, forensics, 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101Primarily: What 00101 exactly 1010110100101110 is ESRM and 1010110100101110101010010100101 and crisis management are all different fields understand10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101why is it needed? 10101101001011101010100101security functions,1010110100101110101010010100101 but when they are risk; they make risk 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 discussed within the ESRM framework they are simply different types of inci- decisions every day. dent response. What is ESRM? Similarly, every function of physi- At its core, ESRM is the practice of man- cal and information security, such as aging a security program through the password and access management, use of risk principles. It’s a philosophy encryption, and CCTV, is simply con- defining the role through risk princi- of management that can be applied to sidered a mitigation effort within the ples, it better positions the security any area of security and any task that is ESRM paradigm. These may seem to be function within the business world at performed by security, such as physical, merely semantic differences, but they large. Business executives in all fields cyber, information, and investigations. are important nuances. When we define understand risk; they make risk deci- The practice of ESRM is guided by these functions within the ESRM para- sions every day. Using ESRM principles long-standing internationally estab- digm, we also start to define the role we to guide our practice solidifies our lished risk management principles. play in the overall enterprise. place within the language of business These principles consist of fundamental ESRM elevates the level at which the while also defining the role we play concepts: What’s the asset? What’s role of security management is defined. within the business. the risk? How should you mitigate that Instead of defining this role at task For example, consider a company risk? How should you respond if a risk level, it defines the role at the higher, with a warehouse and a server. In becomes realized? What is your process overarching level of risk management. the warehouse, security is protecting for recovering from an event if a breach By raising the level of security’s role, widgets and in the server, security is happens? Collectively, these principles ESRM brings it closer to the C-suite, protecting data. Under the common risk form a thoughtful paradigm that guides where executives are considering much principles, we ask: What are the risks to the risk management thought process. more than individual tasks. And by the widgets and data? How would we protect against those risks? Who owns the widgets, and who owns the data? We may decide to put access con- trol and alarms on the warehouse or a password and encryption on the data. In both instances, we’re protecting against intrusion. The goal is the same— protection. For each task, the skill set is different, just like skill sets differ in any other aspect of security: investigations, disaster response, information technol- ogy. But the risk paradigm is the same for each.

Why We Need It We need ESRM to move beyond the tasks that security managers and their teams are assigned. For instance, if you manage physical security, your team is the physical security team. If you do investigations, you are an investigator. If you manage information security, your team is the information security team. 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110 100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 40 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101COVER STORY | BY1010110100101110101010010100101 BRIAN J. ALLEN, CPP 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101But these tasks 01001011101010100 merely define the1010110100101110101010010100101 First, it preempts others 10100101 from defining 1010110100101111010110100101110101010010100101 expressed in some of our own conver 0101010010100101- 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100scope of responsibility.1010110100101110101010010100101 Our roles are 10100101our role 1010110100101111010110100101110101010010100101 for us in a way that fails to sations about 0101010010100101 needing a proverbial 00101 seat 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101broader than our 10100101assigned 1010110100101111010110100101110101010010100101 tasks. Our adequately capture and communicate 0101010010100101 at the 01001011101010100 table. In one sense, 1010110100101110101010010100101 this exclusion 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101responsibilities 1010110100101110101010010100101should be viewed not our 10101101001011101010100 value. 1010110100101110101010010100101may seem justified: 10100101 if 1010110100101111010110100101110101010010100101 we can’t define 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101as standalone tasks, 10101101001011101010100 but as related 1010110100101110101010010100101Second, it helps better position 10100101 10101101001our 1010110100101110101010010100101 role beyond describing our tasks, 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101 0110100101110101010010100101components 0101010010100101within our roles as00101 secu 1010110100101110101010010100101- ourselves in the C-suite. 101011 C-level 1010110100101110101010010100101 execu- why would upper 1010110100101110101010010100101 management charge 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 rity risk managers. tives often struggle with what security us with higher-level leadership and Having a clear, consistent, self-de- managers do, and where to align us. strategy? fined role provides significant benefits. This is often reflected in the frustrations Third, it provides guidance to our industry. Greater use of ESRM will pro- vide an always-maturing common base of knowledge, with consistent terms of use and clear expectations for success. This benefits not only practitioners in our industry, but also all other exec- utives who may need to interact with the security practice or work with the security manager. This can be especially valuable during times of change, such ASIS has started to lead the effort of defining security’s role through ESRM.

as when a security manager switches companies or industries, or when new executives come into the security man- ager’s firm. In those situations, security managers often feel that they are continually edu- cating others on what they do. But this endless starting over process wouldn’t be necessary if there were a common OUTSMART CRIME understanding of what security’s role is, beyond the scope of its responsibilities. Building a successful risk assessment Why Now? starts with a solid foundation. This industry at large has talked about ESRM for at least the last 10 years. But Visit our Need to assess risk at one or all of your locations? as relevant as the topic was a few years booth #3422 to discover why CAP Index information is the missing ago, the present moment is the right piece you need to assess and mitigate your organization’s risk. moment for ESRM because security risks now have the potential to become more 800.227.7475 | capindex.com disruptive to business than in the past. LEGO® is a trademark of the LEGO Group of companies, which does not sponsor, authorize, or endorse CAP Index, Inc. There are several reasons for this. The use of technology in the current See us at ASIS Booth 3433 For product info #22 securitymgmt.hotims.com 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101 0110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 42 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101COVER STORY | BY1010110100101110101010010100101 BRIAN J. ALLEN, CPP 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101economy has allowed 01001011101010100 businesses to1010110100101110101010010100101 cen- landscape to the Internet 10100101 of Things 1010110100101111010110100101110101010010100101 (IoT) engaged, which means that senior man 0101010010100101- 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100tralize operations 1010110100101110101010010100101 and practices. While 10100101have the 1010110100101111010110100101110101010010100101 potential to cause more harm agement must 0101010010100101 also become engaged, 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101this consolidation 10100101 may have 1010110100101111010110100101110101010010100101 increased to businesses compared with the 0101010010100101 nega- and someone 01001011101010100 will have to 1010110100101110101010010100101 step in and fill 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101efficiency, it has 1010110100101110101010010100101 also made those cen- tive 10101101001011101010100 effects they suffered 1010110100101110101010010100101in the past due that gap. That 10100101 could be 1010110100101111010110100101110101010010100101 a chief risk offi- 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101tralized operations 10101101001011101010100 more susceptible to 1010110100101110101010010100101 to loss of information. 10100101 10101101001cer, 1010110100101110101010010100101 a board-level committee, an internal10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101 0110100101110101010010100101disruption. When 0101010010100101 operations were 00101 more 1010110100101110101010010100101 Many executives understand 101011 1010110100101110101010010100101 the audit unit…or security. 1010110100101110101010010100101 Hopefully, it will 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 geographically dispersed, vulnerabil- significance of these risks, and they are be the latter, but to step up and meet ities were more spread out. Now, the looking for answers beyond the typical this challenge, security professionals concentrated risks may have a more siloed approach to security, in which must be able to consistently define their serious negative impact to the business. physical security and information secu- role beyond simply defining their tasks. We are also moving beyond tradi- rity are separately pursued. They realize tional information security and the that the rising cyber risks, in tandem protection of digitalized data. Now, with the increasing centralization of cybersecurity risks pose threats of business operations, have caused a gap Making the Transition greater business disruption. For in security that needs to be closed. What we need is a roadmap toward example, the threats within the cyber Boards are also becoming more professionalization.

1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101a greater level of success 1010110100101110101010010100101monitoring, incident 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 Five Insights on ESRM 1010110100101110101010010100101because security leaders 1010110100101110101010010100101response, and post–inci- 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 By Rachelle Loyear and Brian Allen, CPP 1010110100101110101010010100101are delivering only what the 10100101dent 1010110100101111010110100101110101010010100101 review, and apply 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101business needs, and, more 1010110100101110101010010100101the lessons learned to 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 HERE ARE FIVE overall concepts that provide 1010110100101110101010010100101important, what the C-suite 10100101advance 1010110100101111010110100101110101010010100101 the program. 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 Tguidance about the nature of enterprise security risk 10101101001011101010100understands that it needs. 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100 101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 management (ESRM). These concepts describe what 1010110100101111010110100101110101010010100101ESRM Aligns 0101010010100101 with the 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 ESRM is, what it can do for security managers, how 1010110100101110101010010100101ESRM Is a Process 1010110100101110101010010100101Business 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 security can gain C-suite approval for it, and how to 0101010010100101ESRM is not merely 00101 an1010110100101110101010010100101 aca- Aligning the security 101011pro- 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 implement a vibrant ESRM program for the enterprise. 10101101001011101010100demic philosophy. A 1010110100101110101010010100101general gram with business require 10100101- 1010110100101111010110100101110101010010100 101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101approach for setting up and ments is the 0101010010100101 most critical 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101ESRM Is a Philosophy 1010110100101110101010010100101what the business 10101101001011101010100 deems running 1010110100101110101010010100101 a security program component 10100101 1010110100101111010110100101110101010010100101of the ESRM 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101ESRM is not a standard, 1010110100101110101010010100101 nor critical for risk mitigation,1010110100101110101010010100101 can be derived 10101101001011101010100 from it. philosophy. 1010110100101110101010010100101 This means that 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101is it a rigid set of 1010110100101110101010010100101 rules to and what level 1010110100101110101010010100101of risk the Under that approach, 10101101001011101010100 ESRM the security1010110100101110101010010100101 program must 10100101 1010110100101111010110100101110101 010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101follow. ESRM is a 1010110100101110101010010100101 philoso- business is willing 1010110100101110101010010100101 to accept in action is a cyclical10101101001011101010100 pro- receive 1010110100101110101010010100101 governance and 10100101 1010110100101111010110100101110101010 010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101phy of managing security. in different 0101010010100101 areas. This 01111010110100101110101010010100101gram, and the cycle of risk 0101010010100101 guidance 00101from 1010110100101110101010010100101the business. 101011 1010110100101110101010010100101 1010110100101110101010010100101 It is based on standard risk ability also requires that the management is ongoing: We recommend the forma- management practices, the business fully understand tion of a security council to same ones that guide most why the security risk mitiga- 1. Identify and prioritize ensure this alignment. of the other business deci- tion tactics have been put in the assets of an organi- There are several ways sions made by the enter- place, and what the impact zation that need to be to implement a council. It prise. It requires partnership of not having those mitiga- protected. could be a loose, informal with the business leaders in tions might be. 2. Identify and prioritize group that provides input the organization. The emphasis here is on the security threats that as needed, or it could be a This philosophy gives the business. ESRM philosophy the enterprise and its board-level initiative that security leader the ability recognizes that security risk assets face—both exist- has formal roles, meetings, to manage security risks. does not belong to security. ing and emerging—and charters, and documented This ability is not based on It is a business risk, like any the risks associated with responsibilities for ensuring the latest incident or scare other financial, operational, those threats. security compliance. The in the news, nor is it based or regulatory risk, and final 3. Take the necessary, council can be a venue for simply on the manager’s decisions on managing appropriate, and realis- discussing security topics own ideas of what is most that risk must belong to tic steps to protect and and risk management strat- important to protect. the business leaders. That mitigate the most serious egies, and it can host reso- Instead, it is based on a shift in understanding sets security threats and risks. lution attempts for conflicts shared understanding of a security program up for 4. Conduct incident in the process. 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 43 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101SEP 2017 | SECURITY MANAGEMENT 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101ASIS is leading the effort 10101101001011101010100101of defining step in building 1010110100101110101010010100101 out this roadmap. Other in 1010110100101110101010010100101 developing consistency is critical. 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101security’s role101011 through 1010110100101110101010010100101 ESRM. At ASIS steps will1010110100101110101010010100101 be needed; it is essential that 1010110100101110101010010100101There are some core foundational 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 101001012017 in Dallas,1010110100101111010110100101110101010010100101 you will hear more volunteers, both0101010010100101 seasoned and 1010110100101110101010010100101new to the elements that need 10101101001011101010100101 to be in place for 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101conversation 0101010010100101 around ESRM 00101 as 1010110100101110well as field, 1010110100101110101010010100101 embrace this shift towards 10101101001011101010100101profes- this ESRM transition 1010110100101110101010010100101 to be successful. 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101more maturity and consistency 1010110100101110101010010100101 in that sionalization for it 1010110100101110101010010100101to gain traction. First, 10101101001011101010100 there needs to be a consistent 1010110100101110101010010100101 base 10100101 101011010010111101 0110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101conversation. As the 10101101001011101010100 leading security 1010110100101110101010010100101This transition will not occur 10100101 with 1010110100101111010110100101110101010010100101of knowledge for our industry to work 0101010010100101 01001011101010100 management professional organiza- the flip of a switch. It will take dedica- from: a common lexicon and under- tion, ASIS is best positioned to guide tion to challenge our own notions of standing of security’s role that is under- us through the roadmap from a trade to how we perceive what we do, the lan- stood by practitioners and the business a profession. guage we use to communicate to our representatives we work with. The ASIS Board of Directors has made business partners, and our approach We also need both a top-down and ESRM an essential component of its core toward executing our functions. It will bottom-up approach. New security mission. It has started incorporating take time and comprehensive reflec- practitioners entering the industry from ESRM principles into its strategic road- tion, and the ability to recognize when business or academia, or transitioning map, which means that ASIS is starting to we don’t get it right. We may not be from law enforcement or the military, operationalize this philosophy—a critical totally wrong either, but thoroughness need a comprehensive understanding

1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100ESRM 1010110100101110101010010100101Covers All Security they are 10100101 not performed 1010110100101111010110100101110101010010100101 that allows your security 0101010010100101consistently, ESRM 00101 can 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101There is no aspect 10101101001011101010100 of in a vacuum 1010110100101110101010010100101 by security program 10100101 to evolve 1010110100101111010110100101110101010010100101 over completely change the 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101security 0101010010100101 that cannot be 01111010110100101110101010010100101 and for security, but in full 0101010010100101 time into a pure 00101 risk 1010110100101110101010010100101 view of the security 101011 func 1010110100101110101010010100101- 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100managed 1010110100101110101010010100101 in alignment partnership with the management10100101 1010110100101111010110100101110101010010100101 approach. tion in any organization. 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101with the 0101010010100101 ESRM philosophy. 101010010100101 business 101011 leaders For1010110100101110101010010100101 the security The old 1010110100101110101010010100101 view of security as 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100Many security profession- 101“the 0101010010100101 department of01001011101010100 no” will 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101als already practice much 10101101001011101010100101shift when business leaders 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100of the ESRM philosophy 1010110100101110101010010100101understand that security is 10100101 101011010010111101011010010111010101 0010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101without thinking of it that 1010110100101110101010010100101a partner in ensuring that 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100way. For example, perform- 101the 0101010010100101 assets and functions 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101ing a physical security risk 10101101001011101010100101of the enterprise most 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101assessment 0101010010100101 on a facility 00101 1010110100101110critical to the 1010110100101110101010010100101 business are 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001is equivalent to the ESRM 1010110100101110101010010100101protected in accordance 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101steps of identifying and 010010100101with exactly 0101010010100101 how much risk 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010prioritizing assets and risk. 010100101the business 0101010010100101 is willing 01001011101010100to 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011And setting up a crisis man- 1010110100101110101010010100101tolerate. 1010110100101110101010010100101 agement plan can be con- sidered an aspect of ESRM I RACHELLE LOYEAR IS risk mitigation, as well as ESRM PROGRAM MANAGER incident response. FOR G4S AND CHAIR The critical difference OF THE ASIS CRISIS between programs MANAGEMENT AND that do these activities BUSINESS CONTINUITY as part of a traditional COUNCIL. BRIAN J. security program versus ALLEN, ESQ., CPP, IS A an ESRM program is the MEMBER OF THE ASIS ESRM consistency of approach COMMISSION. ALLEN AND in ESRM. In ESRM, these driving the deci- manager, the first LOYEAR ARE COAUTHORS activities are not per- sion making process for all step to fully understanding OF THE MANAGER’S GUIDE formed on an ad hoc basis risk mitigation. the ESRM philosophy is TO ENTERPRISE SECURITY but consistently across all to communicate it to the RISK MANAGEMENT AND areas of security risk. They ESRM Is Possible executives and business THE FORTHCOMING BOOK are not applied to one area Implementing ESRM leaders in the enterprise. ENTERPRISE SECURITY RISK of the organization and cannot be done overnight. When implemented MANAGEMENT: CONCEPTS not to another. And, vitally, It’s an iterative process thoughtfully and practiced AND APPLICATIONS. 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 44 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 10101101001 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101COVER STORY | BY1010110100101110101010010100101 BRIAN J. ALLEN, CPP 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01111010110100101110101010010100101 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101011010010111010101 0010100101 0101010010100101of risk management 01001011101010100 principles and 1010110100101110101010010100101 through publications coordinated 10100101 1010110100101111010110100101110101010010100101 with time when you’ve been frustrated in 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100how a risk 1010110100101110101010010100101 paradigm drives the security 10100101organizations 1010110100101111010110100101110101010010100101 that reach the C-suite, such this industry.” 0101010010100101 00101 1010110100101110101010010100101 101011 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101management thought 10100101 process. 1010110100101111010110100101110101010010100101 There as the Conference Board of the National 0101010010100101 Every 01001011101010100 answer comes down 1010110100101110101010010100101 to one of 10100101 1010110100101111010110100101110101010010100101 0101010010100101 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101should be an expectation 1010110100101110101010010100101 that these Association 10101101001011101010100 of Corporate Directors. 1010110100101110101010010100101two issues. One, 10100101 we do 1010110100101111010110100101110101010010100101 not know and 0101010010100101 00101 1010110100101110 1010110100101110101010010100101 10101101001011101010100101 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101foundational skill 10101101001011101010100 sets are in place 1010110100101110101010010100101Clearly academia needs 10100101to play a 10101101001 cannot 1010110100101110101010010100101 clearly define our role. Two,10101101001011101010100101 our 1010110100101110101010010100101 1010110100101110101010010100101 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 101011010010111101 0110100101110101010010100101when someone 0101010010100101 enters the security 00101 1010110100101110101010010100101role as well. College students 101011 1010110100101110101010010100101inter- business partners 1010110100101110101010010100101 cannot clearly define 1010110100101110101010010100101 10101101001011101010100 1010110100101110101010010100101 10100101 1010110100101111010110100101110101010010100101 0101010010100101 01001011101010100 field. Working from a common base ested in entering this dynamic industry our role. Both of these frustrations are of knowledge, these ESRM concepts will come in more prepared to assist manageable, and both are our fault as should be incorporated into the security security leaders and businesses with a an industry for not establishing clarity. management curriculum, consistently solid knowledge base of security risk This leads to strained relationships established in every security certifica- management fundamentals. And once with our business partners in how we tion, and inherent in job descriptions a rigorous ESRM body of knowledge is are perceived and how likely our expert and hiring expectations at every level. established, ASIS has the clout, exper- guidance is to be accepted. We also need to build expectations tise, and standing to provide a certifica- Having a clearly defined security role regarding what security’s role is, and tion for academic institutions that meet through ESRM helps build a founda- how it goes beyond its assigned tasks, concepts in their curriculum, which tion for a more satisfying career in the from the top-down—among executives, would will provide for a more consistent security industry. It would provide boards, hiring managers, and business understanding of security’s role. us with proper standing in our enter- partners. A clear and common under- ASIS has established ESRM as a prises, and better positioning for us to standing of security’s role will make it global strategic priority and has formed have a seat at the table for the right rea- easier to define success and the skill an ESRM Commission to drive and sons, ones that executives understand sets that are needed to be successful. implement this strategy. One of the and can support. Organizations like ASIS will assist in commission’s first steps is developing For the practitioner, a consistent secu- providing the wherewithal to support a toolkit comprising a primer and a rity program through ESRM provides these leaders. maturity model. a framework to bring together security If we truly are security risk manag- mitigation tasks under one proper ers, then there must be an expectation umbrella: physical, investigations, of foundational and comprehensive cyber, information, business continuity, risk skill sets when hiring decisions Benefits brand protection, and more. are made. There could be educational to ASIS Members The human resources industry opportunities through ASIS, through There is a question I ask of every can­ has professionalized over the last global partnerships with universities, and didate I interview: “Tell me about a decade or so. We see this through their standing within business, their seat at the table, and their upgrades in title and pay. Now, with the rise in threats and potential business disrupters, our industry has an opportunity. Business leaders and boards are looking for answers. We have the necessary skill sets and a dedicated and supportive professional association in ASIS to take the lead. We are at a crossroads. It is time to choose the path of self-determination, take control of this conversation, and make the transition from trade Provide tools and Increase the Enhance the processes for effectiveness and professionalism to profession. implementation productivity of the industry of security practices BRIAN J. ALLEN, ESQ., CPP, IS THE and solutions FORMER CHIEF SECURITY OFFICER FOR TIME WARNER CABLE, A FORMER MEMBER OF THE ASIS BOARD OF DIRECTORS, AND A CURRENT MEMBER OF THE ASIS ESRM COMMISSION.