ESRM: An Enduring Security Risk Model

As a member of the ASIS International Board of Directors, I have the opportunity to talk to many talented security professionals. Given the focus that ASIS is now placing on Enterprise Security Risk Management (ESRM), many of the conversations I'm having are centering on that topic. And as those discussions unfold, I'm hearing from people who are concerned that ESRM is just another buzzword or fad that will run its course and leave them in the same position they've always been in: misunderstood, frustrated, and often underfunded.

Because I have been working in the ESRM model for so long, I recognize that fear as understandable but unfounded. To demonstrate that, in this article, I'm going to walk you through the changes that the foundational ideas of ESRM can have on the profession, if we let it. 

But bringing that change isn't going to be easy. It means that we must first understand ESRM, embrace its risk management approach, and finally bring the rest of the profession along with us. And, as security professionals, we understand people resist change and often come up with some very convoluted ways of avoiding new things, or things they don't quite "get."

Just one example is an article I read in November where the writer described ESRM as just "more smoke and mirrors" within the security profession and went on to write that instead of focusing on ESRM, security practitioners should focus on understanding their organizations, aligning with the strategy, understanding the company's ERM program, and partnering with the business leaders to ensure the security program was meeting their needs.

And I agree—we DO need to do those things. But, perhaps that author might want to look a little more closely at what ESRM actually is, because he first said to not follow ESRM, then outlined many of the key points of an ESRM program as what to focus on "instead." For the security industry, attitudes like this will only hamper us in our quest to be more relevant to the business and tar us as being inflexible and out of touch. It's a mark of significant misunderstanding when an article attempting to discredit an important idea ends up endorsing the very same concept, just without its name.

ESRM: What Is It Really?

These kinds of misunderstanding can only be resolved with a concerted education effort, and that effort is the responsibility of those individuals who already practice ESRM—myself included.

So, let's start with this boiled down definition:

ESRM is a security program management approach that links security activities to an enterprise's mission and business goals through risk management methods. The security leader's role in ESRM is to manage risks of harm to enterprise assets in partnership with the business leaders whose assets are exposed to those risks. ESRM involves educating business leaders on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, then enacting the option chosen by the business in line with accepted levels of business risk tolerance.

To bring this whole discussion into the appropriate context, I want to walk you through my journey in the security profession and share why I have been so focused on moving away from the old "break glass when needed" approach that so often characterizes our interactions with the non-security functions in our organizations, and towards the ESRM approach.

Operating Without a Strategy

Since beginning my corporate security career in the 1990's I've had the pleasure of working for many large, global, multi-vertical enterprises. Coming from a military background, I remember entering corporate security and thinking to myself"where are the "M" and "E" orders?"

For those of you not from the military, I'll explain. Most military units plan and operate by the simple approach of SMEAC:

• Situation
• Mission
• Execution
• Administration
• Command

What I struggled with in my new corporate world was that my security team really didn't know what the situation was (the company's strategic plan), and therefore we couldn't even begin to build out the department's mission and execution orders. Of course, we understood protection of personnel and assets. We also had assigned functions like physical security, investigations, and crisis management. But none were clearly defined and aligned to the situation, because we'd never had any discussions with the business leaders about what their vision of the situation was—their strategy for the business and what needed to be protected.  

Leveraging Relationships

In my career, I have been lucky enough to have my security organization typically report into a senior executive. I took advantage of this and built solid relationships with many C-level leaders in every organization I worked in. These relationships, in turn, allowed me to ask questions like:

• What do you think the security department should be focused on?   
• What keeps you up at night?    
• What are the things you think it's most important to protect?

Once I understood what my leaders wanted from security, I needed to make sure that they had confidence that I could deliver solutions to their needs. I always found that a great way to do this was a formal documentation process—starting with a clear security organization charter and flowing through operational standards, policies, and procedures. With our role clearly defined through documentation, the security department gained traction and credibility in every company where I carried this out.

Credibility, unfortunately, is not always a "magic bullet" for success. I continued to be frustrated by inconsistent decision making, risky business initiatives, and what I perceived to be an overall lack of knowledge and caring when it came to operational risk. Why was that? I realized over the course of time that business leaders need to understand more than just the role of security; they need to understand that they have a role in security as well - to be educated enough on the issues to make quality security decisions for the organization.

Again leveraging my relationships with the C-suite I began to ask questions such as these: 

• Do you feel like you have a good picture of our company's security risks? 
• Are you confident that the organization's risk acceptance is happening at the appropriate levels?
• Do you understand how much security risk the company is willing to tolerate?

The answers to those questions shocked me. Because overwhelmingly they were "no." Clearly, if I wanted to truly be able to provide the right security for my organizations, I was going to have to find a way to close these gaps in understanding between security and the business.

The Path to "ESRM"

Much to my dismay I was unable to identify anything already existing that told me how to do that. Of course, there was plenty of information on how to "do" security. But very little was available when it came to how to align a security department, its role, functions, and activities to a greater risk management program that the business could accept and participate in. 

Through that search for best practices, though, I found many kindred spirits—all frustrated by the very same things I was seeing and feeling. This band of frustrated security professionals, made up of both young professionals and industry veterans, with expertise in law enforcement, military, corporate, and information security backgrounds, had one common goal: to move away from the reactive and enforcement-minded approach, and reduce the frustrations of inappropriate acceptance of business risk.

Over the years we came together and focused our efforts on identifying and documenting security program gaps across multiple organizations in diverse industry verticals. We validated our findings through external reviews. Working through ASIS, we pulled together funding for a strategic environmental scan of the current and predicted future security landscape. All these steps formed a core understanding of where we were as a profession, where we were going, and the need for change not only to address the current challenges but also the rapidly approaching future, one full of new technologies and much social and cultural disruption. The change we needed was to focus not on the "firefighting" tactics of day to day reactive security, but to manage our security posture through a more nimble and proactive model—managing and mitigating risks more holistically and in line with the business strategy and tolerance for risk to ensure that we weren't still planning for yesterday's battles tomorrow.

This is how ESRM started, and it's still growing and evolving.

The Maturation of a Profession

As ESRM supporters grew in number and moved further in their careers, implementing the ideas in our various organizations, the core idea of ESRM continued to grow and mature. Security practitioners started teaching ESRM educational sessions, as well as writing white papers, articles, and case studies. They spoke about the driving philosophy of ESRM, and most importantly, communicated the success stories of implementation and ongoing management withinFortune 500 companies—bringing more converts into the fold.

The collective "lessons learned" shared by ESRM adopters, in turn, drove many of us to realign and optimize our departments and individual functions to be more consultative and tightly tied to our respective business's strategy, providing more and more real-world success metrics for the ESRM approach.

This approach is detailed in the ESRM Life Cycle Model shown in Figure 1 and will be expanded on in 2018 and 2019 as part of ASIS International's commitment to infuse ESRM into all the Society's offerings. ​

Figure 1 - the ESRM Life Cycle

 

ESRM Becomes an ASIS Strategic Priority

In 2016, ASIS International President David C. Davis, CPP, announced in a board meeting that "we're going to bring the ESRM initiative home." He established an ESRM Commission with clear goals:

1)      Conduct a gap analysis on the security profession's understanding of ESRM and on ASIS's ESRM content, materials, and activities
2)      Create a baseline for a standard ESRM framework
3)      Establish a model that security professionals could use to gauge their security risk management maturity
4)      Provide ongoing communications and education to ASIS members and the overall industry on ESRM topics.

The commission teamed with volunteers and staff to deliver on those goals and in September of 2017 presented its findings to the ASIS Board and recommended a board driven initiative to embed ESRM as the foundation for all ASIS security management practice, education, and certifications.

In November, a project charter was approved by the ASIS International Board of Directors. The charter calls for four value streams:

1)      ESRM Standards and Guidelines
2)      Education / Certification / Research
3)      Marketing/Branding and Communications
4)      ESRM Support Tools

Each project stream will be carried out over 2018 and 2019, led by a board sponsor and an ESRM subject matter expert, teamed with volunteers from around the globe, and staff members from ASIS headquarters.

I am very excited to be a board sponsor of this long-awaited initiative. We, as members of ASIS, are on this journey together. This is not "smoke and mirrors" or a fad, or a buzzword. ASIS has undertaken this initiative to drive the maturity of our profession. The end goal is to provide additional support and value for ASIS members, to reduce your frustrations, to get you "a seat at the strategic table" and, most importantly, to arm you—the security professional—with the information and processes necessary to stay there.