Reboot Your Security Program with an Enterprise Security Risk Management (ESRM) Approach
Businesses across the globe face all kinds of risks on a daily basis, and these risks are constantly evolving. That’s why proactive security and business leaders are always seeking to improve the solutions and programs they have in place to mitigate those security risks.
Rethinking your security program using an Enterprise Security Risk Management model (ESRM) helps you build, customize and develop security programs that are ideally suited to your organization’s individual needs and environments, whether you are in critical energy infrastructure, a bank, a hospital, the retail space, a manufacturing environment or an office.
Before your business can determine what security solutions are right to protect your assets — be it the number of security officers posted at a site, the amount of cameras surrounding a perimeter, or the level of identity and visitor management required — you need to ask and answer some fundamental questions:
- What do I need to protect?
- What do I need to protect it from?
- How can I best, and most efficiently protect it?
These three questions are the essence of a risk-based approach to managing security in your organization. With this in mind, adopting a security risk management model allows you to follow a roadmap through the entire risk management process: identifying your critical assets, understanding the risks to those assets and determining how to best align mitigation solutions to protect those assets in line with your business’s tolerance for risk.
The first step to rebooting your security program using an ESRM approach involves sitting down with your business leaders (the “asset owners”) and identifying all of the critical assets they want to protect.
The partnership approach to identifying which assets are most critical for protection is the key to ensuring that you are making the best use of your organization’s security budget and that you are placing your resources where they can provide the most value to the business. Assets can be many things, including people, property, information and reputation.
“People” may include internal employees and other dedicated personnel, as well as customers, contractors or guests.
“Property” consists of both tangible and intangible items that can be assigned a value. Intangible assets include reputation and proprietary information.
“Information” includes databases, software code, critical company records, personnel knowledge and many other intangible items.
While considering assets that are important, don’t forget to explore external assets that are critical to the company to protect. Your organization may have a key goal of protecting the local community it operates in, or a need to protect a non-owned supplier or material source.
Once you have created your list of assets, assign a value to that resource based on how impactful the loss of the asset might be to completing the overall mission of the organization. It is important to partner with internal asset stakeholders to help you understand the true value of all assets to your business.
Now that you understand what you are trying to protect, the next step in the ESRM model is to look at the likelihood of those assets being harmed by particular security risks. A “risk” identifies the likelihood of a threat causing actual harm to a valued asset. When you are exploring potential risk, don’t forget to explore the following potential avenues of harm.
- Human Threats: These are intentional, often malicious, actions or attacks by human actors that could harm your valued assets, including activities such as theft, violence, vandalism or unethical actions.
- Accidents and Natural Hazards: These can be man-made or natural and are typically unintentional, and can be natural or accidental industrial disasters, safety issues or accidents such as vehicle or personal accidents.
- Social and Political Hazards: These are harder to mitigate, but don’t forget to include issues that are externally driven by systemic change. These could include changes in regulations, political climate or social climate that need to be considered by a holistic security risk management program.
To understand the actual risk of an asset being harmed by one of those threats, look at your history and records to see how frequently incidents like them have happened. Or look at records from industry-wide resources, such as public crime statistics or other security databases. This will help you establish a clear and well-informed picture.
Planning Solutions to Mitigate Risk
When rebooting your security program to take a risk based approach, one key piece of the change will be to ensure that there is no security activity that is happening in your program without a clear reason. In the ESRM model, that reason is to mitigate a risk to specific assets. In a risk-based approach to security, every security expense can be tied to the risk it is mitigating and the asset it is protecting. This shows the chain of value to the organization from cost to return on investment. Looking at your solutions in this way enables you to focus your company resources in the best way to manage and tackle risks and assets in the order of importance defined by the asset owners. Putting the right technological and human resources in the right place for the right reason results in a truly risk-based security program.
Depending on your organization’s desire and needed level of protection for each kind of asset, you can choose solutions to help prevent incidents as much as possible — to help contain and reduce impact if an incident does occur, to recover to a steady state after an incident impacts your asset or a combination of all three types of mitigation level.
Preventive solutions, such as carrying out background checks on all visitors to a site or having perimeter protection in place, aim to stop an incident from happening in the first place. Containment resolutions, such as having intrusion detection or fire safety systems installed, help reduce harm during an incident. Recovery solutions, such as investigations or security forensics, are designed to alleviate impact after an incident, ensuring that business operations recover quickly and that damage is as minimal as possible.
A Constantly Evolving Security Program
As a whole, approaching your security program with a, ESRM model allows you to work with your business leaders to monitor their assets, understand the risks they face, and, together, come up with the most appropriate, efficient and effective solutions. You can also make clear ties in the model to work out the total cost of ownership — based on asset exposure to certain risks — as well as the ROI of the various solutions that you put in place.
Once you have your program defined and in place, you can continue to monitor the progress of the security program, using incident tracking and data analytics to create reports to show the efficacy of the program. This way, you ensure the program is consistently working at its best and is in line with the business’ requirements, which can change over time. This is the heart of the risk management lifecycle.
Embracing an ESRM model can change the way your business thinks about security, for the better, with a view to the value security provides, not just the “overhead cost” of the program.