Last summer, the ASIS Board of Directors elevated Enterprise Security Risk Management (ESRM) to a major strategic initiative of the Society. The Board created a volunteer-led ESRM Commission to lead the effort. ESRM concepts are being integrated into the full range of ASIS products and services, including magazine articles, seminar and exhibits sessions, webinars, classroom programs, standards and guidelines, Foundation research, CSO Center surveys, and the Protection of Assets Manual.
An ESRM subcommittee on research has also begun working on a maturity model to help security leaders evaluate their programs against and provide guidance in the journey towards a more holistic view of risk management. Further updates are expected on this work as the year progresses.
Below is a snapshot of our progress so far:
ASIS delivered two well-attended webinars on ESRM in the last month. "It's Time to Disrupt the Old Security Model!" which was held on 8 February, featured John Petruzzi, CPP, Rachelle Loyear, Raymond O'Hara, CPP and John Turey, CPP as presenters. "ESRM: Another Fad or an Enduring Trend?" which was delivered on February 22, 2017, featured Tim McCreight, CPP, Dennis Shepp, CPP, PCI, Brian McIlravey, CPP, and Brian Link as presenters. (The presenters' conclusion: enduring trend.)
Security Management magazine
Last December, Security Management's cover story, co-authored by Caterpillar CSO Tim Williams, CPP, and Ernst & Young Executive Director Tom Schultz, addressed developing a maturity model for an ESRM program. A forthcoming article in the April issue will cover ERM best practices issued by the U.S. government.
ASIS Annual Seminar and Exhibits
ESRM will be part of the programming at ASIS Europe 2017, to be held in Milan, Italy, on March 29-31. Volker Wagner, CPP, and Brian Allen, CPP, for example, will be presenting on the interface of physical and cyber security and how that fits into the ESRM framework.
Two ESRM sessions are already on the agenda for seminar in September. The first, to be delivered by members of the ESRM Commission as a pre-seminar session, serves as a physical security practitioner's guide to IT security. It's been specifically designed to enable non-IT security professionals to understand the challenges and language of IT security and be able to go back to their organizations with the confidence to understand information security issues and threats and apply the learning. Attendees will be able to converse on basic IT security issues and apply the security concepts they already understand in the world of IT to better protect their organizations.
The other will be a hands-on exercise. In this classroom scenario, participants represent different risk-related corporate departments and must deal with a developing situation by working across the enterprise. Other ESRM sessions are likely to be offered at seminar as well. As a reminder, the 2017 seminar and exhibits takes place September 25-28 in Dallas, and will feature a footprint different than ever before—including more diverse and exciting educational formats.
ASIS headquarters has also recently taken stock of all the ESRM-related material that the Society has generated or sponsored in the last decade-plus. The bibliography comprises a seven-page list of reports, white papers, seminar sessions, book chapters, articles, and much more. Reach out to Michael Gips if you would like a copy.
The touchstone of our ESRM initiative going forward is the short white paper, "ESRM: A Holistic Approach to Security."
As ASIS reimagines and restructures many of its departments, including Learning, many more ESRM materials will be offered. But we need your leadership to help drive the understanding and adoption of ESRM. Please serve as an ambassador for ESRM—raise awareness, explain concepts, share materials, and emphasize its criticality.