Enterprise Security Risk Management (ESRM) is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles. In ESRM, the security professionals and the asset owners share security responsibilities, but all final security decisions are the responsibility of the asset owner.
When creating reports for an executive-level audience, keep in mind that they have received many other metrics reports that same day, and they have only a few minutes to give to each of them. If you make it easy to read and understand and clearly tell your story using data points and brief summaries, they will be able to digest your information faster, retain more and maybe even begin to look forward to receiving your report on a regular basis.
What is a security professional to do when you are already operating a lean organization, you are protecting your company’s assets the best you can and you still have to perform better with fewer resources?
As security professionals, we inherently understand the concept of “risk.” We are surrounded by leaders and business partners who also understand these concepts — just with a different lens. To align the differences in our approach, we just need to adjust our understanding, gain a few more skills and approach our programs with a management mindset similar to the way business looks at risk.
We tend to believe that it is the business’s responsibility to understand the importance of security and, therefore, recognize the need to invest. But in the world of business, that’s simply not the case. Business leaders have operations to run and missions to fulfill, and as security leaders we need to understand that it’s up to us to bridge the gap between the security way of thinking and the business way of thinking.
This model allows the security leader and team to work with business leaders to monitor resources, understand security risks, and, together, deliver the most appropriate and effective solutions to mitigate those risks. Security leaders can also use the information gathered during the risk-based reboot to understand and communicate the total cost of ownership of the security program — based on the value of the business’s assets that are exposed to certain security risks — as well as the cost of the various resolutions that are put in place.
This month in Security magazine: meet the global security team at Boston Scientific - five female professionals with diverse background and skills who are creating a best-in-class enterprise security team while ensuring the safety and security of employees, customers and patients. Also this month, we highlight Kristin Lenardson and her successful career in protective services. Security experts discuss whistleblowing, the CCPA and more.