The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security

Part 1

What Is Enterprise Security Risk Management (ESRM)

and How Can It Help You?

This part will help you to:

Understand what is meant by Enterprise Security Risk Management.

Explain the difference between traditional, task-based management and strategic, risk-based management.

Understand and overcome some of the blocks to effective relationships with enterprise leaders.

See how adopting ESRM can lead to a more successful security program overall and enhance your own career.

1

What is Enterprise Security Risk Management (ESRM)?

As a security practitioner, you know the world is a risky place, and you know it’s becoming more risk filled all the time. Hardly a day goes by without headlines about a workplace shooting, a data breach, a cyber-attack, or some other security failure that has exposed an enterprise and its assets -human, physical, and intangible - to some kind of serious risk. Whatever your security role, and no matter how far along you are in your security career, it’s your responsibility to protect your enterprise, and its assets, against these high-profile threats, and many others that are only beginning to emerge and be recognized. These changes in the security risk environment, and the urgent changes they require in your work as a security practitioner, are the reason we wrote this book.

This book is about an approach to security that’s new and yet familiar, radical and yet practical: enterprise security risk management (ESRM).

1.1    ESRM Defined

We’ll be discussing the meaning and implications of ESRM in depth throughout this book, but let’s begin at the beginning, with a simple, straightforward definition of the term:

Enterprise security risk management is the application of fundamental risk principles to manage all security risks - whether information, cyber, physical security, asset management, or business continuity - in a comprehensive, holistic, all-encompassing approach.

To break that down further, we can look at the individual parts of the definition.

1.1.1    Enterprise

An enterprise is a business or company.

This can be a:

Public, state or government run organization.

A privately held, family company.

A not-for-profit organization providing goods, services, or other non-profit activities.

A stockholder controlled corporation.

Any other organization that exists to fulfill a purpose defined by that organization.

When we reference business, organization, company, or any similar term in this book, we are referring to any or all of the above - an enterprise.

1.1.2 Security Risk

Security risk is anything that threatens harm to the enterprise, its mission, its employees, customers, or partners, its operations, its reputation.

That can mean:

A troubled employee with a gun.

An approaching hurricane.

A computer hacker in another country.

A dissatisfied customer with a social media account and too much time on his or her hands.

And, of course, many more.

Security risks take many different forms, and new ones are being introduced all the time. Recognizing those risks, making them known to the enterprise, and helping your internal functional business partners mitigate them is central to the ESRM philosophy.

1.1.3 Risk Principles

The definition of ESRM states that risks are managed through fundamental risk principles. Here, we’ll reference an already existing body of knowledge on how to manage all types of risk, and apply it specifically to the security function. There are well-established, fundamental risk principles -principles that have been tested and found effective over many years, in many different enterprises, and in many different industries - that can be used to manage risks of all types.

The International Organization for Standardization, in standard ISO 31000:2009 - Risk management - Principles and guidelines, and the American National Standards Institute, in their standard document ANSI/ASIS/RIMS RA.1-2015 - Risk Assessment, both outline similar, highly effective, standards for risk management. A few examples of key principles from the ISO standard 31000 (2009) are that risk management should:

Be part of the decision-making process.

Be transparent and inclusive.

Be dynamic, iterative, and responsive to change.

Be capable of continual improvement and enhancement.

Again, these are just a few snippets from the standard. The entire standard is voluminous and comprehensive and we’ll describe more from this risk standard and others in the course of this book to give you a road map showing how to use these fundamental principles of risk management and apply them to the security risks you are responsible for managing.

1.2 How is ESRM Different from Traditional Security?

The description of ESRM above may sound somewhat like what you and your security organization are already doing - and the fact is, you probably are already doing some parts of it.

So let’s take a look at what makes ESRM such a radical departure from traditional, conventional security. To do that, we need a baseline understanding of what traditional security is - and what it is not.

These days, security practitioners are often too busy dealing with threats and vulnerabilities and other urgent operational problems to ask themselves basic questions about what they do and why they do it.

Questions like:

What is my role in the business environment, beyond the specific security tasks I’ve been assigned?

Why are the tasks I do every day necessary for the enterprise?

How is what I do perceived in the organization?

What is the mission my department is chartered to accomplish?

That’s a serious problem, because in security, as in every other business discipline, if you aren’t sure what you’re trying to accomplish - why you’re doing what you’re doing - you can’t be sure you’re doing it right. And, just as important, you can’t be sure that you’re being recognized by the management in your organization as doing it right.

1.2.1 Traditional Corporate Security Scenarios: Something is Missing

One thing we’ve learned in our years as security professionals is that there are a lot of different ways to do security. Some are good, some are bad, most are a bit of both - and all can teach us something about how to do things better. We’ve talked to a lot of security managers and practitioners in our time, at conferences, seminars, and other industry events, and we’ve learned about a lot of different approaches to security. Here are just a few things we’ve heard about:

Security programs that seem to work successfully in their business environments, even though they’re run largely on instinct or experience rather than as formalized processes that could be extended into new areas.

Security practitioners who feel like outsiders in the enterprise, because they’re only called in when they’re needed - when something’s gone wrong - not before.

Security managers who spend all their time performing tactical functions - responding to incidents, implementing password controls, installing and monitoring video or access systems - instead of developing strategies.

Security programs that fail because they don’t have the participation and support that they need from the rest of the enterprise.

Security managers who are blindsided by security problems they weren’t even aware existed - but are still expected to take the blame for.

There’s a lot wrong here, and we’ll be talking throughout this book about exactly what makes these things wrong and what you, as the security practitioner, can do about it. But for now, we’d like to talk about one key component that’s missing from all these scenarios: consistency. In ESRM terms, consistency has two fundamental meanings:

Consistency in applying a security risk management philosophy to every part of the security function and to the thought processes applied to all security decision-making.

Consistency in how security roles and responsibilities are communicated to, and understood by, the internal strategic partners who are so critical to the success of an ESRM program.

Bringing consistency to your security program is essential to ensuring that all your stakeholders across the enterprise understand exactly what to expect from you as a security professional and from your security program, recognize and appreciate security’s roles in the enterprise and its business value, and rely on you and your team to perform your roles as trusted business partners.

Consistency is driven by:

Following known, documented, well communicated, practices.

Remembering the proper steps of all security activities and processes.

Always understanding the true role of the security professional as manager of security risk.

Incorporating that understanding and philosophy into your everyday thought processes as the security manager.

Consistency in your security program offers many benefits, but none is more important than earning the trust of the business. When your strategic partners in the enterprise can see that you perform all your security work in a consistent manner and treat all aspects of security risk with a consistent approach, they’ll understand that they can rely on you to practice your security discipline in a balanced way with their best interests in mind. This is a key advantage that practicing security in the ESRM model will bring.

1.3 What is ESRM? - A Closer Look

Let’s take a closer look at exactly what ESRM is, and what it means for you as a security practitioner, and for everyone else impacted by this world of new and rapidly changing risks we all live in. And let’s begin by building on the basic definition of ESRM that we’ve already offered:

Enterprise security risk management is the application of fundamental risk principles to manage all security risks - whether information, cyber, physical security, asset management, investigations, or business continuity - in a comprehensive, holistic, all-encompassing approach.

What does this mean in practice? It means that ESRM represents a fundamental change in the way enterprises - and organizations and individuals within those enterprises - conduct some of their most business-critical operations. That takes time, commitment, and above all a process: an ongoing life cycle.

The ESRM life cycle is similar to other risk management cycles that you may already be familiar with such as the following:

The International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) risk management cycle, for example, calls for risks to be identified, analyzed, treated, and monitored (2009).

The US Department of Commerce’s National Institute of Standards and Technology (NIST) outlines a risk cycle - specific to cybersecurity and information security - in its Guide for Conducting Risk Assessments (2012) that calls for assessing risk, responding to it, and monitoring the results.

The COBIT 5 model from the international professional association ISACA has a very similar implementation life cycle that includes recognizing needs (risks, in other words), defining desired state (planning mitigations) and monitoring outcomes (ongoing risk assessment).

As we’ve already explained, most of the basic, underlying concepts of ESRM are not new, and these other models have distinct similarities to ESRM. But the ESRM model has differences -differences that are critically important to security practitioners and to how they can run their security programs more effectively.

1.3.1 The Phases of the ESRM Life Cycle

In section 4 of this book, we’ll do a deep exploration of all of the phases of the ESRM life cycle, but let’s take a quick look at the model in Figure 1-1 to give you an idea of what we mean.

•    Identify and prioritize assets:

Identifying, understanding, and prioritizing the assets of an organization that need protection.

Identify and prioritize risks:  Identifying, understanding, and prioritizing the security threats the enterprise and its assets face - both existing and emerging - and, critically, the impacts and exposures associated with those threats.

Mitigate prioritized risks: Taking the necessary, appropriate, and realistic steps to protect against the most serious security threats and risks.

Improve and advance: Conducting incident response and review - learning from both successes and failures - and applying the lessons learned to advance the program.

This is a life cycle, but not necessarily a linear one. All of these functions are critical to protecting the enterprise - and all of them must be conducted simultaneously and on an ongoing basis. (That’s why they’re shown as a circle in our diagram.) Even more important, the ESRM life cycle requires ongoing commitment, not only from the security practitioner and the security organization, but also from stakeholders throughout the enterprise. It’s only with that commitment, and thorough, consistent application across the enterprise, that ESRM can deliver on its true promise to protect the business and its assets.

1.3.2 Managing Risk in a Life Cycle

Part of applying the ESRM model - and one of the ways it differs from other models - is that the cycle requires you, as a security practitioner, to manage security risks both proactively and reactively. ASIS International’s CSO Roundtable group (2015) published some of the earliest papers on the topic of ESRM, stressing this same idea that ESRM is:

Proactive - continuously assess the full scope of security-related risks to protected assets.

Reactive - respond to security incidents, mitigate the impact, and then assess residual risk to minimize exposure to recurrence, while learning how a risk may have changed and could affect the risk assessment progress and thinking all over again.

ESRM is a simple yet powerful management practice that enables the security professional to engage with the business, partner with the business, and guide the business through a comprehensive security risk management and security risk decision-making process. This enables the security professional and the strategic partner in the organization to work together to develop security strategy and accept risks that are acceptable to the business.

It’s almost impossible to overstate the importance of that last phrase: acceptable to the business. Security and risk decisions must always be fully aligned with the needs and the objectives of the business, so that the business - not the security organization - can make sound, informed security risk decisions. Security practitioners don’t always fully recognize that businesses need to take risks to be successful. ESRM principles can help the business take advantage of these risks, and can actually add real value to the business by doing so.

1.4 What ESRM Is - and What It Is Not

To truly succeed, every business function needs to fully understand why it exists and what it needs to do for the business it operates in, and security is no exception. (Make no mistake, security is a business function too, and your success depends on your recognizing that fact.) The ESRM philosophy provides a simple, effective way to frame the mission and goals of the security organization - for ourselves as security practitioners, for the people in our security organizations working to achieve those goals, and for business leaders. Let’s begin by defining them for our own purposes.

1.4.1 ESRM Mission and Goals

As we mentioned before, the CSO Roundtable published an early description of ESRM in 2015. In it, they offered a simple, actionable definition of these concepts:

The mission of ESRM is to identify, evaluate, and mitigate the impact of security risks to the business, with prioritized protective activities that enable the business to advance its overall mission.

The goals of ESRM are to engage with the business to establish organizational policies, standards, and procedures to identify and manage security risks to the enterprise.

There’s nothing terribly difficult for the security practitioner to understand about any of this. Essentially,