ESRM and the COVID-19 Pandemic
Fundamental to the practice of enterprise security risk management (ESRM) is identifying and prioritizing assets and identifying and prioritizing the risks that could affect those assets. The unprecedented scope of the COVID-19 pandemic’s societal disruption has applied massive pressure to organizations as they implement emergency plans geared at protecting assets—including human assets—as much as possible by assessing and mitigating the incredible disruptions.
Some of the highly disruptive actions caused by the pandemic include the closing of facilities—possibly for months, new screening or workflow procedures for facilities that remain open, entire workforces suddenly teleworking for weeks or months, a near complete shutdown of business travel, furloughs and layoffs, massive worldwide economic distress, and this list could go on and on.
Some of the first impacts companies felt were stresses placed on the supply chain.
“It started early on for us with clients who rely significantly on their supply chain from China,” says John Torres, who leads the security and technology consulting practice for Guidepost Solutions. “So in January we were working with clients to adjust and pivot so they could reconstruct those supply chains to other places, either here in the United States or to Latin America or to Europe. And as we’ve seen the virus spread, the approach has to continue to adapt.”
On the flipside, Paul Mercer, managing director of HawkSight Security Risk Management, a security risk consultant based in the United Kingdom, says there are a number of emerging threats that need to be monitored, including the potential that the global pandemic and subsequent economic distress could trigger widespread civil unrest and a marked increase in crime.
“We’re beginning to understand the clear health-related risks associated with this pandemic, but then there’s also the emerging threats that we should begin to start focusing on, for example: civil unrest,” Mercer says. “The experience of the Arab Spring, whilst an extreme example, demonstrated that a starting point of dissatisfaction can move to peaceful protest to violent protest and then a total breakdown of law and order, particularly in parts of the world, lacking in healthcare, suffering existing conflict, and where leadership may not be trusted. This is a continuum that we’ve recently witnessed, and we need to be cognizant of the types of events that an unprecedented emergency situation such as this pandemic could potentially trigger.”
The Importance of a Holistic Approach to Security
The number, variability, and complexity of the risk factors organizations are dealing with as part of their pandemic response demonstrates why an ESRM approach is so important. David Feeney, CPP, manager of cyber risk for Deloitte, chaired the committee that wrote the ASIS ESRM Guideline, and he points to an example that has received a lot of attention to illustrate the holistic nature of security risk.
When workers stopped congregating in office buildings en masse and started working in home offices, cyber criminals smelled opportunity and went into overdrive. Cleverly designed phishing schemes and malware sought to prey on unfamiliar circumstances to penetrate networks or hold systems ransom.
“As security practitioners, we tend to silo security with qualifiers like physical security or cybersecurity. Threats don’t work that way,” says Feeney. “A threat is a threat, without consideration to categorizing itself. Consider the impact of the remote workforce. Do remote workers use company laptops or their own computers? How does this change the attack surface? Do new vulnerabilities exist? Are additional controls needed? All of these cybersecurity considerations result from a threat—the pandemic—that is traditionally viewed as physical.”
How does the discipline of ESRM and understanding security risk as a holistic, organizational approach rather than practicing security as a discrete, service-providing function for an organization actually help that organization in times of crisis? To help answer this question, a basic understanding of ESRM is needed. The following excerpt is from the ASIS ESRM Guideline:
Enterprise security risk management (ESRM) is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles. In ESRM, the security professionals and the asset owners share security responsibilities, but all final security decisions are the responsibility of the asset owner.
The ESRM approach addresses the full scope of security risk mitigation practices, including physical security, cybersecurity, information security, loss prevention, organizational resilience, brand protection, travel risk, supply chain security, business continuity, crisis management, threat management, fraud risk mitigation, and workplace violence prevention. ESRM connects all the key elements of the security effort with the organization’s assets that require protection.
…The objective of ESRM is to identify, evaluate, and mitigate the likelihood and/or impact of security risks to the organization with priority given to protective activities that help enable the organization to advance its overall mission. Security professionals utilize ESRM to further the organization’s mission through the proactive management and communication of security risks to top management and asset owners. ESRM puts security activities in context and helps top management set protection priorities and allocate resources. That engagement fosters a sense of ownership and establishes top management’s commitment to the program.
ESRM, then, is at its core a strategic approach to preparing organizations to protect its assets, and an organization’s assets include everything from tangible assets, such as people, facilities, and physical property, to more conceptual assets, such as supply chains and brand reputation.
“A holistic approach supports the old swiss cheese model where when you stack enough layers together, the holes won’t line up and the risk won’t be able to get through,” says Mercer. “Adopting a more strategic approach to security management, as opposed to a siloed program-management type of approach, is much more cost effective and successful at mitigating possible threats. The ESRM guidelines clearly state that the opening gambit of this is to establish the context of what it is you’re trying to achieve both at the company level and in the operating environment in which the company finds itself. Right now, focus is clearly on the prevailing pandemic threat, but we must also focus on the emerging threat environment and how that might impact a particular enterprise both now and in the future.”
ESRM also gives the organization the confidence to take actions quickly and confidently during an incident. “You need to be able to set up an incident response at a moment’s notice, and the only way you’re going to be able to do that is to test it,” says Torres. “Without training or having practiced your response, you find yourself having to test and run through the problems as the crisis is happening, and that’s a tougher placer to be. If you were going to test the idea of limiting visitor access to your building and it takes you a week to determine how that is going to impact the organization’s assets before putting a policy in place, that’s a week of potentially exposing your employees to the sickness.”
As Feeney puts it, “ESRM is an approach to managing security risk, which means it has its impact before an incident takes place.” Assets and risks are identified and prioritized by the asset owners with guidance from security professionals.
“Asset owners are the decision makers in this phase because they have the expertise when it comes to their assets,” he adds.
The security risk management decisions from all the organization’s asset owners are documented in a security plan that is managed and executed by the security manager. Before an incident surfaces organizational risks, the security manager works to understand how the risk management decisions from different asset owners interact with each other. The security manager analyzes the plan and leads any drills or other preparatory actions the organization should take.
“When comparing an organization utilizing ESRM to one that isn’t, both may actually end up taking the same steps to mitigate the risk of the pandemic—work from home, temporary closures, reduced hours, etc.,” says Feeney. “But the difference is in how they get there, and the result is that the two organizations may experience varying degrees of effectiveness from the same set of controls.”
In an organization using ESRM, asset owner acceptance is built into the process, making it a smoother, more successful incident response. “The asset owners understand the value of the controls and countermeasures and are more accepting of any inconveniences they might create,” says Feeney.
In an organization not practicing ESRM, security managers make the security decisions—or recommendations—on their own, and those affected by those decisions could actively oppose them or the decisions may not be grounded with a solid understanding of the asset’s impact on the organization’s mission. That’s the exact type of discord and dissonance that ESRM seeks to avoid.
“Part of the whole continuity of operations is to ensure not only the health and safety of your employees, but also the health and safety of the company so it can continue to be viable,” says Torres. “Whenever you come out of this, months down the road, you don’t want to come out with all kinds of security violations, lawsuits, or in a compromised position. There’s a lot to consider holistically—it goes way beyond access control of visitors and physical security measures.”
ESRM and Managing an Incident
When an incident occurs, the dynamic shifts from asset owners being responsible for risks to security managers, who implement and manage security controls and countermeasures. An ESRM-developed security plan gives security managers the broader organizational context to act with the confidence and decisiveness a crisis demands.
“Execution of those plans from incident detection through recovery is the security professional’s golden hour,” says Feeney. “Security professionals are the decision makers in this phase—and in fact manage the entire response—because they have the expertise when it comes to security incident response.”
To do this effectively, the ESRM Guideline describes the context from which security managers must act. Their work with the organizations’ asset owners and senior leadership must provide a demonstrable grasp of how the actions they take during an incident might impact the organization’s mission and vision, core values, operating environment, and stakeholders.
Mercer says the first thing needed in effective crisis management is a means to develop and communicate a common understanding of what is happening, a requirement, he says, that points to a technological solution.
“In the case of a pandemic, for example, there is a lot of data going around, most of it focused on the health concerns. What’s not happening is there isn’t an overlay of emerging security threat data,” Mercer says. He’s a strong proponent of geographic information systems (GIS), in order to present data visualizations that will build a common understanding of the current situation based on credible data and not reliant on people’s impressions or circumstantial analysis.
“Security teams in an incident response may communicate in ways they are used to, that they may have used in the military or police or intelligence agencies,” he says. “This doesn’t resonate in many cases with business leaders because they don’t understand the language or the drivers. These data visualizations can present the data in a way that leaders will understand. For a security professional to be able to do this, they’ve got to really get into the skin of the organization and understand what it does, how it does it, why it’s doing it that way, what the culture is. ESRM effectively says you have to understand the whole enterprise the way the leaders do before you can start to protect it.”
In broader terms, Mercer describes three components of crisis management. Tactical response is the front line. In looking at some of the risk approaches described earlier, tactical response would be IT working to protect network security as the workforce shifts to working from home or scheduling shifts to reduce the number of employees at the facility at one time. The second component is support to the tactical response,; for example, HR may develop tips for working from home or ease certain personnel policies. And finally there is corporate response, which looks at the bigger picture of financial impact, affect on brand, and interactions with partners and other stakeholders. People doing the work in each of these response components assume these roles as part of incident management, and that’s where ESRM comes in.
“To most effectively train those teams, they need some kind of scenario-based training which brings us back to the risk analysis,” says Mercer. “These emergency response teams need to be trained on credible risks to the company and the prioritized assets. Without this risk-led approach, they are not training at all, or they are being trained in fictious scenarios that have no relevance to the organization.”
Lessons from the Pandemic Experience
ESRM is a concept that has been around in some form for years—perhaps decades. Things like the ESRM Guideline, which was just published last year, provide a common structure and framework to use—as the name suggests—as a guide for organizations.
In reality, there’s not a demarcation line that clearly defines Company A as an ESRM company and Company B as not an ESRM company. Rather, it’s a continuum where on one side are organizations that see security as a discrete function proscribing policies and procedures based on security interests and protocols, and on the other side is a security department that has integrated all aspects of security and acts as a partner to the rest of the organization to help stakeholders make better decisions based on the safety and security of important assets.
All organizations fall somewhere on that continuum. The question is, with just about every organization on earth affected by the coronavirus pandemic, some of them pretty severely: Are there things security managers should be on the lookout for in order to move the organization toward the ESRM side of the continuum?
“In the case of the COVID-19 pandemic, and the associated risks that become apparent, it is essential that we collate lessons learned, discussing what controls were successful, what could be improved, and what did not work effectively and why,” says Mercer. “These lessons and future planning must be shared with relevant stakeholders and made ready for use for the next such event, or for further phases of this event.”
This process starts with taking a leading role in uncovering those lessons; Mercer notes that, as natural investigators, security managers are primed to fill this role. As the event is happening, security managers should note any communication lapses or times when decisions seem to be made as much from intuition as from data analysis—at what points would data have been beneficial in taking a better course of action or making a more timely decision? And as the organization emerges on the other side of the incident, security managers will fill this role by actively learning all the ways the incident impacted the business.
“You need to talk to all the different parts of the organization, and at various levels in those parts, from the front line to the supervisors to the upper management,” he says. “Analyzing how different departments experienced the incident, and how different levels of the company may have felt it differently, can bring a lot of value to the company and create context for how to better understand what and how risks might threaten assets in future incidents.”
While organizations are still in the middle managing this emergency situation, it is important to see the bigger picture. And whether the organization emerges from the pandemic crisis in survival mode or an opportunistic mode, it is clear that much can be learned from the incident itself.
“This is an opportunity to learn countless lessons that we’ve never had an opportunity to learn in our lifetimes,” says Feeney. “Many of those lessons will follow one of two themes: that our understanding of assets was not as comprehensive as we thought, or that our understanding of risks was not as comprehensive as we thought. Either could occur if asset owners and stakeholders aren’t sufficiently engaged in the process or if final decisions are made by security based on their limited understanding of these assets. Or maybe risks not prioritized based on criteria other than their potential impact to the mission. Maybe risk wasn’t looked at holistically, or maybe there was not sufficient transparency or governance in the risk management process. All of these factors are directly addressed by the ESRM process and, as such, are valid reasons to adopt ESRM in an organization that has not yet done so.”
Please see the companion article, “Pandemic-Based Risk Mitigations,” which features security risk consultant Paul Mercer’s collection of risk mitigations gleaned from the COVID-19 pandemic that security managers can include in future planning.
In addition, access all of ASIS International’s pandemic coverage on the Disease Outbreak: Security Resources page.