Using ESRM to Gain a Seat at the Table

Security is often seen as an operating activity instead of a strategic driver that helps advance the overall mission success of an organization, as highlighted in the recent ASIS International report, The Influence of Security Risk Management: Understanding Security’s Corporate Sphere of Risk Influence.

Through extensive literature reviews and work with 11 focus groups of business executives, the study’s authors found that security is considered a technical, specialized activity, and not considered a business enabler.

“This specialization means at a corporate level, security has a constrained degree of influence when compared to general managers who work across multiple business activity areas and demonstrate higher degrees of business influence,” according to the report’s executive summary.

In simpler terms, Rachelle Loyear, vice president of integrated security solutions for Allied Universal, says security practitioners are often asking their peers an important question: “How do I get the C-suite to listen to me?”

Embracing enterprise security risk management (ESRM) might help. For more than half of a decade, ESRM has increased in popularity among security practitioners; however, figuring how to introduce this methodology into an organization unfamiliar with it is not always the easiest task to accomplish.

In a one-day intensive course before GSX 2023 in Dallas began, attendees dove into the principles and methodology of ESRM to hopefully foster a new security culture at their companies—including one of greater security influence.

Along with Loyear, the pre-conference session “Successfully Implementing an ESRM Approach into Your Organization” included two other high-level speakers with experience in successfully implementing ESRM: David Feeney, CPP, PSP, advisory manager for Deloitte & Touche LLP, and Paul Mercer, managing director for HawkSight Security Risk Management Ltd. The afternoon portion featured guest speakers, including Bill Phillips and Jeffrey Slotnick, CPP, PSP.

The presenters explained how ESRM can help in achieving corporate influence by highlighting how security supports a company’s mission.

Feeney is quick to point out, however, that ESRM is not a methodology or complicated set of practices. It’s an approach—one that encourages security practitioners to focus on the intersection between security and organizational leadership and how that partnership influences the rest of a company.

For ESRM practitioners who want to have more corporate influence, the presenters asked attendees to consider how risk management can directly support the broader organization—framing how ESRM can support the entire entity.

Reframing a situation can help drive the message across departments. Simplifying risks and solutions can help stakeholders outside of security want to invest and buy into security solutions and processes.

“Making things simple is the best way to get us in the door,” Loyear says.

For example, Loyear recalls how in prior years a budget discussion would often focus on dollars—salaries, supplies, tools, and updates that either made it under the budget or didn’t. By approaching budget cut discussions from an ESRM mindset, she forces others to consider which risks the company could be more susceptible to.

The benefits of simplicity run the other way, too, especially when it comes to developing a greater understanding of the larger organization.

“You cannot protect what you don’t understand,” Loyear adds.

The workshop further emphasized the importance of this by dedicating its first exercise on breaking down corporate jargon that can sometimes congest a company’s mission and vision statements.

“We have to get under the skin of the business,” Mercer says, pointing to the need for security to identify the business assets that are critically linked to the fundamental goals—assets that will demand protection.

You cannot protect what you don’t understand.

Once the assets, their importance to the organization, and those responsible for them are defined, the focus then becomes identifying the source and severity of threats to these assets and their current risk levels.

Communicating and coordinating with other departments to identify what needs protection has the additional benefit that it gives security the opportunity to convey how and why it wants to offer protection.

Mercer pointed to his own experience in IT risk assessments. In previous years, there was a gap when it came to cybersecurity—operational security was unfamiliar with digital components while IT saw cybersecurity as an operational security issue.

But once the two parties conducted joint risk assessments, they were able to identify and agree together what the risk identification was, helping to “close the gap” on risks that laid between the departments and identifying solutions, Mercer says. Such joint efforts can also assist in improving traditional budget frustrations between departments.

Other ESRM Resources…

For those in Dallas interested in additional learning opportunities related to ESRM, consider attending these Tuesday GSX 2023 sessions (all times are local/CT):

• 11:45 a.m. to 12:45 p.m.: “Improve Security’s Brand & Impact by Aligning with the Three Lines of Defense Model”
  
  
• 1:30 p.m. to 2:15 p.m.: “ASIS International ESRM Community Information Session”
  
  
• 2:00 p.m. to 3:00 p.m.: “Securing a Budget: A Case Study in Applying ESRM to Support Security Investments”
  
  
• 3:15 p.m.-4:15 p.m.: “People & Trust: ESRM Meets HIRM”
  
  
• 3:15 p.m.-4:15 p.m.: “Revenge of the Office: Thinking Differently About Offices and Visitors as We Return to Work”

Other ESRM resources available include:

• A free 90-minute webinar, “ESRM and Security Cultures: Leadership and Business Growth,” features two experts on how ESRM approaches should include holistic methods for supporting workplace culture and an organization’s growth.
  
  
• The webinar “Best of GSX 2022: Strengthening Relationships to Support ESRM,” $60 for ASIS members, $75 for nonmembers.
  
  
• The Enterprise Security Risk Management Guideline eBook, free to ASIS members, $50 for nonmembers.

Sara Mosqueda is associate editor of Security Management, which publishes the GSX Daily. Connect with her at [email protected] or on LinkedIn.