Putting your faith in Enterprise Security Risk Management (ESRM)

He fit the description of most of the congregants — middle aged to senior, wearing a yarmulke, greeting other congregants in Hebrew. But something was off. He was dressed too casually for a Saturday morning service. He was moving briskly, though he was not late. And a backpack was slung across his shoulder. Typically, only children arrived with backpacks or bags.

Following the 2017 white supremacist rally in Charlottesville, Va., and the mass shooting at the Tree of Life Synagogue in Pittsburgh, this house of worship for Conservative Jews in the northeast United States, like many others, had doubled down on security while trying to maintain a welcoming atmosphere. Part of the new protocol involved having two congregants as greeters and two off-duty policeman as security officers. Knowing many of the members, the volunteer greeters would both welcome guests and spot anyone who wasn’t a regular congregant. They could convey any concerns to the officers.

Spotting an outlier is a challenge, however, because for many Bar and Bat Mitzvahs — Jewish ceremonies where a young man or woman symbolically reaches adulthood — the synagogue welcomes scores of far-flung family members and friends who are unfamiliar to the greeters.

The unidentified man whisked through the entryway and made his way to the back of the facility, where multiple ceremonies were occurring in different rooms, while the greeters were busy welcoming other guests. One greeter exchanged glances with an officer, then dashed back to find the man. When the greeter caught up with him, the man told her that he had expected her, and that he was disappointed in the security posture, commenting that he could have had a bomb and caused mayhem. He turned out to be an Israeli who had appointed himself as a personal penetration tester for the Jewish houses of worship in the region.

The incident prompted an internal security review and drives home the value of Enterprise Security Risk Management (ESRM). The ASIS International ESRM Guideline defines that concept as “a strategic approach to security management that ties an organization’s security practice to its overall strategy, using globally established and accepted risk management principles.”

Agile Assessments

Security programs tend to be hidebound to schedules — annual audits, monthly site reviews, and so on. But mature ESRM programs are more agile. The synagogue in the above example had been used to annual site surveys at best, but none had occurred during the most vulnerable times when the number of visitors could easily overwhelm security protocols. Now site surveys occur more frequently, at different times, and involve different stakeholders.

In fact, all organizations should consider level of risk vis a vis potential impact to dictate when and how often they assess risk. Critical risks should be assessed more often, and less acute or better-controlled risks less often. The most critical risks, which for the synagogue are terrorist attacks, active shooters, and child abductions, should be assigned to a specific individual and continually assessed. If something changes, security personnel want to know immediately, not in three months at the next assessment.

The findings resulting from the new approach to risk assessment have posed some tough issues for the temple. For example, the security committee has suggested measures that would allow staff to contact clergy in an emergency such as a fire or active assailant. The clergy member could then inform the congregation and provide instruction. But the rabbis are forbidden by Jewish law to use any kind of electronics from Friday night to Saturday night — the times when the facility is at its highest occupancy. The resolution remains up in the air, as the synagogue has severely restricted activities due to the Coronavirus pandemic and is addressing more immediate concerns.

Business Value

Key to an ESRM approach is a focus on business value. Such an approach entails knowing the business inside out. For this house of worship in our example, that focus consists of offering education, community, and spiritual and religious sustenance and guidance. Based on the business’s mission and strategy, the security program must not only articulate a risk (what might happen), but it should also show the potential business impact.

A house of worship, with its spiritual orientation, might not seem like a good candidate for such an approach. In fact, though it’s tax-exempt, it is very much a business and benefits from a business approach. Most threats — a child abduction, vandalism, hate crime, theft, cyberattack — would have a direct, economic impact or indirect impact from reputational damage. Economic harm could come from loss of students and congregants, higher insurance premiums, and loss of donations, for example.

In fact, when the synagogue decided to switch its preschool to an all-virtual environment during the Coronavirus pandemic, it lost students, along with valuable revenue, to neighboring institutions. This served as a real-life example of the business impact of disruption, making it easier for the executive board and staff leadership to visualize risks that might have seemed purely theoretical.

Audit Your Best Controls, Not Your Worst

Though it may seem counterintuitive, all organizations should audit their well-controlled risks — controls perceived as strong breed complacence, for the very reason that if they are indeed broken, nobody notices. That’s why these controls — which are in place because of the severity of risk — should be audited often.

By contrast, if you have a control or countermeasure that has been identified as weak, you will be inclined to look at it. That’s a waste of time. You should have a plan to either address or accept that weakness. In a similar vein, security professionals are tempted to spend time on areas that generate many incidents. The better approach is to look closely on the ones that aren’t reporting any incidents.

Be Concrete

Typologies such as “High, Medium, or Low Risk” or “Code Red, Yellow, or Green” are hard for executives to internalize. As a security leader, you should learn to speak about those risks in terms of monetary value. Present risks in the language of potential losses. Mature risk programs deemphasize qualitative assessments in favor of hard data based on key risk indicators.

If these risk indicators can be updated automatically (or at least regularly), security will more quickly learn when the risk exceeds an accepted tolerance level. For example, one key risk indicator for the synagogue is the level of anti-Semitic chatter online and on social media. At various times, an increased level of that activity has exceeded risk tolerance and caused the synagogue to shut down for several days.

Use Stories

Risk managers may believe that dispassionate analysis wins the day. It usually doesn’t. Instead of “what might happen,” describe situations that have gone awry and what happened. The detail matters.

Warning executives that the loss of a facility will sever the supply chain will get some attention, but talking through what would actually happen were the facility made inoperable (what choices would be made, who would be involved etc.) is more powerful. More powerful still are actual examples, if not of your company, then from one similar to yours. In fact, the synagogue used the story of the self-appointed red-teamer described at the beginning of this story to drive home risk and secure additional attention and resources.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Security Operations Centers (SOCs) are a crucial component of safety and security culture. They support many strategic business objectives, from lowering costs and minimizing risk to improving employee trust and morale.

Putting your faith in Enterprise Security Risk Management (ESRM)