Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementPhysicalSecurity Enterprise ServicesSecurity Leadership and ManagementSecurity & Business ResilienceSecurity Education & TrainingPhysical Security

Enterprise Services

Putting your faith in Enterprise Security Risk Management (ESRM)

With enterprise security risk management, organizations should consider the risks versus potential impact to dictate when and how often they assess risk. What does that mean for your organization?

By Michael Gips, Will Anderson
SEC0521-ESRM_Feat-slide1_900px

Ekspansio / E+ via Getty Images

SEC0521-ESRM_slide2_900px

Valery Yurasov / iStock / Getty Images Plus / via Getty Images

SEC0521-ESRM_slide3_900px

Michael Gips, JD, CPP, CSyP, is Principal at Global Insights in Professional Security, which provides content development, strategic counsel, and business insights.

(Photo courtesy of Gips)

SEC0521-ESRM_slide4_900px

Will Anderson is the CEO of Resolver, whose cloud-based software delivers actionable insights and cost-control measures to risk, security, and resilience professionals.

(Photo courtesy of Anderson)

SEC0521-ESRM_Feat-slide1_900px
SEC0521-ESRM_slide2_900px
SEC0521-ESRM_slide3_900px
SEC0521-ESRM_slide4_900px
May 12, 2021

He fit the description of most of the congregants — middle aged to senior, wearing a yarmulke, greeting other congregants in Hebrew. But something was off. He was dressed too casually for a Saturday morning service. He was moving briskly, though he was not late. And a backpack was slung across his shoulder. Typically, only children arrived with backpacks or bags.

Following the 2017 white supremacist rally in Charlottesville, Va., and the mass shooting at the Tree of Life Synagogue in Pittsburgh, this house of worship for Conservative Jews in the northeast United States, like many others, had doubled down on security while trying to maintain a welcoming atmosphere. Part of the new protocol involved having two congregants as greeters and two off-duty policeman as security officers. Knowing many of the members, the volunteer greeters would both welcome guests and spot anyone who wasn’t a regular congregant. They could convey any concerns to the officers.

Spotting an outlier is a challenge, however, because for many Bar and Bat Mitzvahs — Jewish ceremonies where a young man or woman symbolically reaches adulthood — the synagogue welcomes scores of far-flung family members and friends who are unfamiliar to the greeters.

The unidentified man whisked through the entryway and made his way to the back of the facility, where multiple ceremonies were occurring in different rooms, while the greeters were busy welcoming other guests. One greeter exchanged glances with an officer, then dashed back to find the man. When the greeter caught up with him, the man told her that he had expected her, and that he was disappointed in the security posture, commenting that he could have had a bomb and caused mayhem. He turned out to be an Israeli who had appointed himself as a personal penetration tester for the Jewish houses of worship in the region.

The incident prompted an internal security review and drives home the value of Enterprise Security Risk Management (ESRM). The ASIS International ESRM Guideline defines that concept as “a strategic approach to security management that ties an organization’s security practice to its overall strategy, using globally established and accepted risk management principles.”


Agile Assessments

Security programs tend to be hidebound to schedules — annual audits, monthly site reviews, and so on. But mature ESRM programs are more agile. The synagogue in the above example had been used to annual site surveys at best, but none had occurred during the most vulnerable times when the number of visitors could easily overwhelm security protocols. Now site surveys occur more frequently, at different times, and involve different stakeholders.

In fact, all organizations should consider level of risk vis a vis potential impact to dictate when and how often they assess risk. Critical risks should be assessed more often, and less acute or better-controlled risks less often. The most critical risks, which for the synagogue are terrorist attacks, active shooters, and child abductions, should be assigned to a specific individual and continually assessed. If something changes, security personnel want to know immediately, not in three months at the next assessment.

The findings resulting from the new approach to risk assessment have posed some tough issues for the temple. For example, the security committee has suggested measures that would allow staff to contact clergy in an emergency such as a fire or active assailant. The clergy member could then inform the congregation and provide instruction. But the rabbis are forbidden by Jewish law to use any kind of electronics from Friday night to Saturday night — the times when the facility is at its highest occupancy. The resolution remains up in the air, as the synagogue has severely restricted activities due to the Coronavirus pandemic and is addressing more immediate concerns.

 

Business Value

Key to an ESRM approach is a focus on business value. Such an approach entails knowing the business inside out. For this house of worship in our example, that focus consists of offering education, community, and spiritual and religious sustenance and guidance. Based on the business’s mission and strategy, the security program must not only articulate a risk (what might happen), but it should also show the potential business impact.

A house of worship, with its spiritual orientation, might not seem like a good candidate for such an approach. In fact, though it’s tax-exempt, it is very much a business and benefits from a business approach. Most threats — a child abduction, vandalism, hate crime, theft, cyberattack — would have a direct, economic impact or indirect impact from reputational damage. Economic harm could come from loss of students and congregants, higher insurance premiums, and loss of donations, for example.

In fact, when the synagogue decided to switch its preschool to an all-virtual environment during the Coronavirus pandemic, it lost students, along with valuable revenue, to neighboring institutions. This served as a real-life example of the business impact of disruption, making it easier for the executive board and staff leadership to visualize risks that might have seemed purely theoretical.

 

Audit Your Best Controls, Not Your Worst

Though it may seem counterintuitive, all organizations should audit their well-controlled risks — controls perceived as strong breed complacence, for the very reason that if they are indeed broken, nobody notices. That’s why these controls — which are in place because of the severity of risk — should be audited often.

By contrast, if you have a control or countermeasure that has been identified as weak, you will be inclined to look at it. That’s a waste of time. You should have a plan to either address or accept that weakness. In a similar vein, security professionals are tempted to spend time on areas that generate many incidents. The better approach is to look closely on the ones that aren’t reporting any incidents.


Be Concrete

Typologies such as “High, Medium, or Low Risk” or “Code Red, Yellow, or Green” are hard for executives to internalize. As a security leader, you should learn to speak about those risks in terms of monetary value. Present risks in the language of potential losses. Mature risk programs deemphasize qualitative assessments in favor of hard data based on key risk indicators.

If these risk indicators can be updated automatically (or at least regularly), security will more quickly learn when the risk exceeds an accepted tolerance level. For example, one key risk indicator for the synagogue is the level of anti-Semitic chatter online and on social media. At various times, an increased level of that activity has exceeded risk tolerance and caused the synagogue to shut down for several days.

 

Use Stories

Risk managers may believe that dispassionate analysis wins the day. It usually doesn’t. Instead of “what might happen,” describe situations that have gone awry and what happened. The detail matters.

Warning executives that the loss of a facility will sever the supply chain will get some attention, but talking through what would actually happen were the facility made inoperable (what choices would be made, who would be involved etc.) is more powerful. More powerful still are actual examples, if not of your company, then from one similar to yours. In fact, the synagogue used the story of the self-appointed red-teamer described at the beginning of this story to drive home risk and secure additional attention and resources.

KEYWORDS: ASIS International enterprise security management insider threats risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Michael gips headshot
Michael Gips is a Principal at Global Insights in Professional Security, LLC. He was previously an executive at ASIS International. Columnist image courtesy of Gips
Sec0521 esrm slide4 900px
Will Anderson is the CEO of Resolver, whose cloud-based software delivers actionable insights and cost-control measures to risk, security, and resilience professionals.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Shopping mall

Victoria’s Secret Security Incident Shuts Down Website

Laptop with coding on ground

Stepping Into the Light: Why CISOs Are Replacing Black-Box Security With Open-Source XDR

Gift cards and credit cards

Why Are Cyberattacks Targeting Retail? Experts Share Their Thoughts

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • SEC0419-leadership-feat-slide1_900px

    Enterprise Security Risk Management…Culture Eats Strategy

    See More
  • side view of office building open window

    Risk committee survey shows flaws in enterprise risk management

    See More
  • SEC0819-VMS-Feat-slide1_900px

    Video Management Systems for Your Security Enterprise

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
  • July 17, 2025

    Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

    From animal habitats to bustling crowds of visitors, a zoo is a one-of-a-kind environment for deploying modern security technologies.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing