Enterprise Security Risk Management: Concepts and Applications PDF by Brian J Allen and Rachelle Loyear

By

Enterprise Security Risk Management: Concepts and Applications

By Brian J. Allen and Rachelle Loyear

Enterprise Security Risk Management Concepts and Applications

Table of Contents:

Copyright

Dedication

Acknowledgments

Foreword

Part 1: Why Enterprise Security Risk Management (ESRM)?

1: What is Enterprise Security Risk Management?

1.1 ESRM Defined

1.1.1 Enterprise

1.1.2 Security Risk

1.1.3 Risk Principles

1.2 ESRM Overview

1.2.1 ESRM Mission and Goals

1.2.2 ESRM Life Cycle – A Quick Look

1.2.3 Your Role in ESRM

1.3 Why is ESRM Important?

1.3.1 Traditional Corporate Security Scenarios: Something is Missing

1.3.2 ESRM as a Driver for Consistency

1.4 What is ESRM Not?

1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)?

Title page

Cover

Questions for Discussion

References

Learn More About It

2: How Can ESRM Help You?

2.1 Security Function Professionals

2.1.1 The Student

2.1.1.1 How Can ESRM Help You?

2.1.2 The New Security Practitioner

2.1.2.1 How Can ESRM Help You?

2.1.3 The Security Manager or Executive

2.1.3.1 How Can ESRM Help You?

2.1.4 The Transitioning Public Sector Professional

2.1.4.1 How Can ESRM Help You?

2.2 Business Functional Professionals

2.2.1 The Business Function Manager

2.2.1.1 How Can ESRM Help You?

2.2.2 The Senior Executive

2.2.2.1 How Can ESRM Help Your Organization?

2.2.3 The Company Board of Directors

2.2.3.1 How Can ESRM Help Your Organization?

Questions for Discussion

References

3: How Can ESRM Help Your Security Program?

3.1 The Traditional View of Security and Why the Industry Must Change

3.1.1 The Traditional View of Security

3.1.1.1 What Does Security Do? – The Answer from the Security Practitioner

3.1.1.2 What Does Security Do? – The Answer from the Board of Directors and Senior Executives

3.1.2 Why the Security Industry Needs to Define “Security”

3.1.3 The ESRM View of Security – A Profession, not a Trade

3.1.3.1. Managing Security Risks

3.1.4 ESRM-Based Security – Moving from Task Management to Risk Management

3.1.4.1 Security Task Management

3.1.4.2 Security Risk Management

3.1.4.3 The ESRM Solution: A New Philosophy

3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People?

3.1.5.1 The Missing Network Switch: A Story of Security Frustration

3.1.5.1.1 The Traditional Security Environment

3.1.5.1.2 The ESRM Security Environment

3.1.5.1.3 The ESRM Difference

3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures

3.2.1 Security and Risk Threats are Real

3.2.2 The Risk Conversation is Changing Rapidly

3.3 What Does “Security Success” Look Like?

3.3.1 Success is Not Just Measured by Numbers

3.3.2 In Security Success, Intangibles are Important

3.3.3 Your Answers Create Your Definition of “Success”

3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success

3.3.5 The ESRM Philosophy of Security Success

3.3.5.1 Security Becomes Strategic

3.3.5.2 Security Becomes a Business Function

Questions for Discussion

References

Learn More About It

Part 2: The Fundamentals of ESRM

4: Preparing for an ESRM Program

4.1 Understand the Business and its Mission

4.1.1 Holistic Understanding of Risk

4.1.2 The Needs of Your Business

4.1.3 Sources of Information

4.1.3.1 Company Insiders

4.1.3.2 Company Published Communications

4.1.3.3 Outsiders and The Media

4.1.3.4 Observing Non-Verbal Communication – The Underlying Culture

4.2 Understand the Business Environment

4.2.1 Examining the Environment the Business Operates In

4.3 Understand Your Stakeholders

4.3.1 What is a Stakeholder?

4.3.1.1 Finding Your Stakeholders: A Closer Look

4.3.2 Why Stakeholders Matter

4.3.2.1 Risk Stakeholder Conflict

Questions for Discussion

References

Learn More About It

5: The ESRM Cycle – An Overview

5.1 What is ESRM? – A Closer Look

5.1.1 Similarities to Industry Life Cycles

5.1.2 Application of the ESRM Model

5.2 The ESRM Life Cycle Model in Action

5.2.1 A Task Management Approach

5.2.2 An ESRM Approach

5.3 ESRM is Cyclical, But Not Always Sequential

Questions for Discussion

References

6: The ESRM Cycle – Step 1: Identify and Prioritize Assets

6.1 Step 1 – Identify and Prioritize Assets

6.2 What is an Asset?

6.2.1 How Do You Identify Business Assets?

6.2.1.1 Finding Tangible Assets

6.2.1.2 Finding Intangible Assets

6.2.2 Who Really “Owns” an Asset?

6.2.2.1 A Building

6.2.2.2 A Server

6.2.2.3 The Web of Assets and Asset Owners/Stakeholders

6.3 How Do You Assign Value to Assets?

6.3.1 Simple Tangible Asset Valuation (Two Methods)

6.3.2 Complex Tangible Asset Valuation

6.3.3 Intangible Asset Valuation (Three Methods)

6.3.4 Business Impact Analysis (BIA)

6.4 How Do You Prioritize Assets for Protection?

6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?

Questions for Discussion

References

Learn More About It

7: The ESRM Cycle – Step 2: Identify and Prioritize Security Risks

7.1 Identify and Prioritize Security Risks

7.2 What is Risk?

7.2.1 The Risk Triangle

7.3 The Risk Assessment Process

7.3.1 ISO Standard and Good Practices

7.3.1.1 The ESRM Difference

7.4 Risk Identification – Finding all the Risks

7.5 Prioritizing Risks for Mitigation

7.5.1 Presenting a Risk Matrix

7.5.1.1 Education vs. Fear

7.5.1.2 Building a Matrix

7.5.1.3 Building a Heat Map

7.5.1.4 Security Risk Decision-Making

7.5.2 Conflicts in Risk Prioritization

7.5.2.1 The Role of Security

7.5.2.2 The Role of the Asset Owner

Discussion Questions

References

Learn More About It

8: The ESRM Cycle – Step 3: Mitigate Prioritized Risks

8.1 Mitigate Prioritized Risks

8.2 Risk Management and Mitigation Responses in Existing Industry Standards

8.2.1 The ISO Risk Management Standard

8.2.2 The ESRM Difference

8.3 Risk Treatment Options

8.4 Risk Mitigation Decisions

8.4.1 Conflicts in Risk Mitigation Decisions

Questions for Discussion

Learn More About It

9: The ESRM Cycle – Step 4: Improve and Advance

9.1 Improve and Advance

9.2 Incident Response

9.3 ESRM Investigations and Root Cause Analysis

9.3.1 Performing a Root Cause Analysis

9.4 Ongoing Security Risk Assessment

9.4.1 Sources of Risk Awareness

9.4.2 Reporting and Employee Vigilance

Questions for Discussion

References

Learn More About It

Part 3: Designing a Program That Works for Your Enterprise

10: Designing an ESRM Program to Fit Your Enterprise

10.1 Design Thinking – A Conceptual Model for Your ESRM Program

10.2 The Phases of Design Thinking

10.2.1 Empathize Phase

10.2.2 Define Phase

10.2.3 Ideate Phase

10.2.4 Prototype Phase

10.2.5 Test Phase

10.3 ESRM Program Rollout in a Formal Design Thinking Model

10.3.1 Educate and Involve the Stakeholders (Empathy)

10.3.2 Iterate the Process (Your Definition and Prototypes)

10.3.3 Mature the Process (Testing and Feedback)

10.3.4 Expand the Process (Begin Again with a Larger Scope)

Questions for Discussion

References

Learn More About It

11: Rolling Out Your ESRM Program

11.1 Rolling out ESRM in the Real World – A Story

11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team)

11.1.1.1 A Deeper Dive (Even More Empathy)

11.1.2 Step 2: Communicating with the Business and Other Stakeholders (Empathy with Our Strategic Partners)

11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming)

11.1.4 Step 4: Piloting the Program (Prototyping and Feedback)

11.1.5 Step 5: Implementation and Evolution Across the Enterprise

11.2 ESRM Program Rollout Checklist

Questions for Discussion

Learn More About It

Part 4: Making ESRM Work for Your Organization

12: ESRM Essentials for Success

12.1 Transparency

12.1.1 Risk Transparency

12.1.2 Process Transparency

12.2 Independence

12.3 Authority

12.4 Scope

12.5 Parallels with Other Risk-Based Functions

12.5.1 What Are Audit, Legal, and Compliance?

12.5.2 What do Legal, Audit and Compliance Functions Need for Success?

Questions for Discussion

References

Learn More About It

13: Security Governance

13.1 What is Corporate Governance?

13.1.1 Defining Corporate Governance

13.1.2 Why is Corporate Governance Important?

13.1.3 Common Themes in Corporate Governance

13.2 The Security Council: ESRM Governance

13.2.1 Who is the ESRM Security Council?

13.2.2 The Security Council’s Role in ESRM

13.2.3 Setting Up a Security Council

13.2.3.1 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs

13.2.3.2 Step 2: Define the Security Council Stakeholders

13.2.3.3 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council

Charter

13.2.3.4 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM

13.2.3.5 Step 5: Develop a List of Potential Quick “Wins” for the ESRM Program

13.2.3.6 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council

Charter.

13.2.4 Security’s Role on the Security Council: What It Is and What It Is Not

Questions for Discussion

References

Learn More About It

14: The Security Organization

14.1 Where Should Security Report in an Organization Structure?

14.1.1 Determining the Optimal Security Organization Reporting Lines

14.1.1.1 Question 1 – What Does Security Need to be Successful?

14.1.1.2 Question 2 – Which Lines of Reporting Carry Obvious Conflicts?

14.1.1.3 Question 3 – What Reporting Structures are Available in This Enterprise?

14.2 The Greatest Success Comes with the Greatest Independence

14.3 Security Organization Internal Structure

14.3.1 Defining Strategic Leadership Roles

14.3.1.1 Aligning Tactical Skillsets with Strategic Management

14.3.1.2 Transitioning Yourself from a Tactical Practitioner to a Strategic Leader

Questions for Discussion

Learn More About It

Part 5: An ESRM Approach to Tactical Security Disciplines

15: ESRM and Investigations

15.1 How does the Investigations Discipline Fit in the ESRM Life Cycle?

15.2 An Investigation is an Incident Response

15.3 An Investigation is the Source of Root Cause Analysis

15.3.1 Identifying Root Causes Through Security Investigations

15.3.1.1 Preparing for a Risk-Based Investigation

15.3.1.2 During an ESRM Investigation

15.3.2 Reporting Root Causes After a Security Investigation

15.4 Investigations Drive Ongoing Risk Assessment

15.4.1 Postmortem Reporting and Responsibilities

15.4.1.1 Security Role and Responsibilities

15.4.1.2 Strategic Partner Role and Responsibilities

15.5 A Deeper Look at the Role of Investigations in ESRM

15.5.1 Comparing Traditional and ESRM Investigations

15.5.1.1 One Successful Outcome

15.5.1.2 All Successful Outcomes May Not Look the Same

15.5.2 The ESRM Difference

15.5.2.1 A Difference in Focus: Fact-Finding Versus Risk Identification

15.5.2.2 A Difference in Goals – Accountability versus Risk Mitigation

Questions for Discussion

Learn More About It

16: ESRM and Physical Security

16.1 How does the Physical Security Discipline Fit in the ESRM Life Cycle?

16.2 Physical Security Activities Help Identify and Prioritize Assets

16.3 Physical Security Activities Help to Identify and Prioritize Risks

16.4 Physical Security Activities Serve to Mitigate Prioritized Risks

16.4.1 Turning a Task into a Security Risk Mitigation Activity

16.5 Physical Security Provides First Line Incident Response

16.6 Physical Security Provides Input to Ongoing Risk Assessment

16.7 A Deeper Look at the Role of Physical Security in ESRM

16.7.1 Comparing Traditional and ESRM Physical Security Methods

16.7.1.1 One Successful Outcome

16.7.1.2 All Successful Outcomes May Not Look the Same

16.7.2 The ESRM Difference

16.7.2.1 A Difference in Perception

16.7.2.2 A Difference in Approach: Risk Management as a Positive Practice

Questions for Discussion

Learn More About It

17: ESRM and Cybersecurity and Information Security

17.1 How does Cyber and Information Security Fit in the ESRM Life Cycle?

17.1.1 The ESRM Cycle and the NIST Cybersecurity Framework

17.1.1.1 Identify

17.1.1.2 Protect

17.1.1.3 Detect

17.1.1.4 Respond

17.1.1.5 Recover

17.2 Identifying and Prioritizing Assets in the Cyber Environment

17.3 Identifying and Prioritizing Risks in the Cyber Environment.

17.3.1 Risk in Cyber and Information Security

17.4 Mitigate Prioritized Risks

17.4.1. Risk Mitigation Planning: The Cybersecurity Framework

17.4.1.1. Performing a Gap Analysis for Risk Mitigation Planning

17.5 Improve and Advance

17.5.1 Using the NIST Framework to Improve and Advance

17.6 A Deeper Look at the Role of Cyber and Information Security in ESRM

17.6.1. Operational Technology – More than Just Data

Questions for Discussion

References

Learn More About It

18: ESRM and Workplace Violence and Threat Management

18.1 How does Workplace Violence Prevention and Threat Management Fit in the ESRM Life Cycle?

18.2 Identifying and Prioritizing Assets in Workplace Violence Prevention and Threat Management Programs

18.2.1 Asset Owners and Stakeholders: Everyone Owns Workplace Violence Prevention, Not Just Security

18.3 Identifying and Prioritizing Risks in Workplace Violence Prevention and Threat Management Programs

18.4 Mitigate Prioritized Risks Through Workplace Violence Prevention and Threat Management Program Design

18.5 Incident Response in Workplace Violence Prevention and Threat Management Programs

18.6 Root Cause Analysis in Workplace Violence Prevention and Threat Management Programs

18.7 Ongoing Risk Assessment in Workplace Violence Prevention and Threat Management Programs

18.8 A Deeper Look at the Role of Workplace Violence Prevention and Threat Management in ESRM

18.8.1 A Difference in Focus: Holistic Workplace Violence Prevention and Threat Management Programs vs.

Workplace Violence Response Training

18.8.2 A Difference in Culture – Workplace Violence Awareness

Questions for Discussion

References

19: ESRM and Business Continuity and Crisis Management

19.1 How does Business Continuity and Crisis Management Fit in the ESRM Life Cycle?

19.2 Identifying and Prioritizing Assets and Risks in a Business Continuity and Crisis Management Program

19.3 Mitigating Prioritized Risks in a Business Continuity and Crisis Management Program

19.4 Incident Response in a Business Continuity and Crisis Management Program

19.5 Root Cause Analysis in a Business Continuity and Crisis Management Program

19.6 Ongoing Risk Assessment in a Business Continuity and Crisis Management Program

19.7 A Deeper Look at the Role of Business Continuity and Crisis Management in ESRM

19.7.1 A Difference in Authority – Getting Traction

19.7.2 A Difference in Transparency – Driving Acceptance Through Simplification

19.7.3 A Difference in Independence – Ensuring Participation Through an Overarching Program

19.7.4 A Difference in Scope – Leveraging Resources for Success

Questions for Discussion

References

Learn More About It

Part 6: ESRM Program Performance and Evaluation

20: ESRM for Business Executives and Boards of Directors

20.1 What do the executives need to know about ESRM?

20.1.1 Point 1 for Executives – Understand What ESRM is and the Value of Implementing ESRM Within the

Organization

20.1.2 Point 2 for Executives – Understand the Underlying Philosophy of ESRM and the Role of Security

20.1.3 Point 3 for Executives – Essential Requirements for Security Success To communicate the basics of the ESRM

philosophy, you will need to make sure your executives have a good understanding of the essential foundational

elements of a successful ESRM program, which are:

20.1.3.1 Transparency

20.1.3.2 Independence

20.1.3.3 Authority

20.1.3.4 Scope

20.1.4 Point 4 for Executives – Understand ESRM Parallels with Other Risk-Based Functions

20.1.5 Tailoring the Conversation

20.2 What is the Role of Executives in an ESRM Program?

20.2.1 The Executive Role of Ensuring a Definition of Security Success

20.2.2 The Executive Role of Ensuring the Correct Security Skillsets

20.2.3 The Executive Role of Ensuring the Essentials for Success are in Place

20.2.4 The Executive Role of Ensuring the Correct Reporting Structure

20.2.5 The Executive Role of Ensuring that the Board or Enterprise Ownership is Aware of the Role of Security and of

Security Risks as a Business-Critical Topic

20.3 What Should Executives and Boards of Directors Expect From ESRM?

20.3.1 Reporting and Metrics

20.3.2 Transparency of Risk

20.3.3 Communications, Notifications, and Awareness

Questions for Discussion

References

Learn More About It

21: Security Budgeting Process

21.1 How has Security Budgeting been Approached Before?

21.1.1 Fear, Uncertainty, Doubt – The FUD Factor

21.1.2 Making the Best of What You are Given, and the “Blame Game”

21.1.3 Return on Security Investment

21.1.3.1 Return on (Non-Security) Investment

21.1.3.2 Whose “Return” is It?

21.2 The ESRM Approach to Security Budgeting

21.2.1 Value Chain Theory

21.2.1.1 Increasing Value to your Primary Function Strategic Partners

21.2.1.2 Is Security a Support or Primary Activity?

21.3 Changing from a Traditional Security Budget to an ESRM Budget

21.3.1 Discover Existing Security Tasks and Activities

21.3.2 Personnel Discovery

21.3.3 Financial Discovery

21.3.4 Building the Unified Budget

21.4 Ongoing/Annual Budgeting

21.4.1 Budget Updates

21.4.2 Budget Decision Making and Risk Tolerance

21.5 Procurement Partnerships and the Role of Procurement in the Budget Process

Questions for Discussion

References

Learn More About It

22: Reporting and Metrics That Matter

22.1 Why are Security Metrics Important?

22.2 What is the Traditional View of Security Metrics Reporting?

22.3 What is the ESRM View of Security Metrics Reporting?

22.3.1 Metrics of Risk Tolerance

22.3.1.1 Metrics of Risk Tolerance for Security Disciplines

22.3.2 Metrics of Security Efficiency

22.3.3 Comparing ESRM and Traditional Security Reporting

22.4 Building Metrics Reports

22.4.1 Communicating to an Executive Audience

22.4.1.1 Planning a Security Report for Executives

22.4.1.2 Building a Security Report for Executives

22.4.2 Communicating to the Security Council Audience

22.4.2.1 Planning a Security Report for the Security Council

22.4.2.2 Building a Security Report for the Security Council

22.4.3 Communicating to a Strategic Partner Audience

22.4.3.1 Planning a Security Report for Strategic Partners

22.4.3.2 Building a Security Report for Strategic Partners

22.4.4 Communicating to Security Functional Leadership

22.4.4.1 Planning a Security Report for Security Management

22.4.4.2 Building a Security Report for Security Management

Questions for Discussion

Learn More About It

23: ESRM and the Path to Security Convergence

23.1 The Common View of Security Convergence

23.1.1 Technological Convergence

23.1.2 Organization Convergence

23.2 The ESRM View of Security Convergence

23.2.1 Convergence of Philosophy

23.3 Why ESRM Often Leads to Converged Organizations

23.3.1 Changed Understanding of Roles Leads to Changed Structures

23.3.2 Changed Understanding of Risks Leads to Changed Structures

23.3.3 Changed Understanding of Practices Leads to Changed Structures

23.3.4 The Convergence Decision

23.4 The Benefits of a Converged Organization in an ESRM Security Program

23.4.1 The Converged Security Team Aligns All Security with the Enterprise Business Mission

23.4.2 The Converged Security Team Helps Change the Perception of Security

23.4.3 A Converged Security Program Unifies Security Awareness Efforts

23.4.4 A Converged Security Program Reduces Employee Confusion

23.4.5 A Converged Security Program Promotes Efficiency of Security Operations

23.4.6 A Converged Security Program Optimizes the Risk Profile

23.5 The Challenges of Converging an Organization in an ESRM Security Program

23.5.1 The “Culture” Challenge

23.5.2 The “Control” Challenge

23.5.3 The “Different Tasks” Challenge

23.6 Executive Leadership of a Converged Organization in an ESRM Environment

23.6.1 CSO Requirements in a Converged ESRM Organization

23.7 If Your Enterprise Chooses to Converge

Questions for Discussion

References

Learn More About It

Credits

About the Authors

Enterprise Security Risk Management: Concepts and Applications

By Brian J. Allen and Rachelle Loyear

Table of Contents

Copyright

Dedication

Acknowledgments

Foreword

Part 1: Why Enterprise Security Risk Management (ESRM)?

1: What is Enterprise Security Risk Management?

1.1 ESRM Defined

1.1.1 Enterprise

1.1.2 Security Risk

1.1.3 Risk Principles

1.2 ESRM Overview

1.2.1 ESRM Mission and Goals

1.2.2 ESRM Life Cycle – A Quick Look

1.2.3 Your Role in ESRM

1.3 Why is ESRM Important?

1.3.1 Traditional Corporate Security Scenarios: Something is Missing

1.3.2 ESRM as a Driver for Consistency

1.4 What is ESRM Not?

1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)?

Title page

Cover

Questions for Discussion

References

Learn More About It

2: How Can ESRM Help You?

2.1 Security Function Professionals

2.1.1 The Student

2.1.1.1 How Can ESRM Help You?

2.1.2 The New Security Practitioner

2.1.2.1 How Can ESRM Help You?

2.1.3 The Security Manager or Executive

2.1.3.1 How Can ESRM Help You?

2.1.4 The Transitioning Public Sector Professional

2.1.4.1 How Can ESRM Help You?

2.2 Business Functional Professionals

2.2.1 The Business Function Manager

2.2.1.1 How Can ESRM Help You?

2.2.2 The Senior Executive

2.2.2.1 How Can ESRM Help Your Organization?

2.2.3 The Company Board of Directors

2.2.3.1 How Can ESRM Help Your Organization?

Questions for Discussion

References

3: How Can ESRM Help Your Security Program?

3.1 The Traditional View of Security and Why the Industry Must Change

3.1.1 The Traditional View of Security

3.1.1.1 What Does Security Do? – The Answer from the Security Practitioner

3.1.1.2 What Does Security Do? – The Answer from the Board of Directors and Senior Executives

3.1.2 Why the Security Industry Needs to Define “Security”

3.1.3 The ESRM View of Security – A Profession, not a Trade

3.1.3.1. Managing Security Risks

3.1.4 ESRM-Based Security – Moving from Task Management to Risk Management

3.1.4.1 Security Task Management

3.1.4.2 Security Risk Management

3.1.4.3 The ESRM Solution: A New Philosophy

3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People?

3.1.5.1 The Missing Network Switch: A Story of Security Frustration

3.1.5.1.1 The Traditional Security Environment

3.1.5.1.2 The ESRM Security Environment

3.1.5.1.3 The ESRM Difference

3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures

3.2.1 Security and Risk Threats are Real

3.2.2 The Risk Conversation is Changing Rapidly

3.3 What Does “Security Success” Look Like?

3.3.1 Success is Not Just Measured by Numbers

3.3.2 In Security Success, Intangibles are Important

3.3.3 Your Answers Create Your Definition of “Success”

3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success

3.3.5 The ESRM Philosophy of Security Success

3.3.5.1 Security Becomes Strategic

3.3.5.2 Security Becomes a Business Function

Questions for Discussion

References

Learn More About It

Part 2: The Fundamentals of ESRM

4: Preparing for an ESRM Program

4.1 Understand the Business and its Mission

4.1.1 Holistic Understanding of Risk

4.1.2 The Needs of Your Business

4.1.3 Sources of Information

4.1.3.1 Company Insiders

4.1.3.2 Company Published Communications

4.1.3.3 Outsiders and The Media

4.1.3.4 Observing Non-Verbal Communication – The Underlying Culture

4.2 Understand the Business Environment

4.2.1 Examining the Environment the Business Operates In

4.3 Understand Your Stakeholders

4.3.1 What is a Stakeholder?

4.3.1.1 Finding Your Stakeholders: A Closer Look

4.3.2 Why Stakeholders Matter

4.3.2.1 Risk Stakeholder Conflict

Questions for Discussion

References

Learn More About It

5: The ESRM Cycle – An Overview

5.1 What is ESRM? – A Closer Look

5.1.1 Similarities to Industry Life Cycles

5.1.2 Application of the ESRM Model

5.2 The ESRM Life Cycle Model in Action

5.2.1 A Task Management Approach

5.2.2 An ESRM Approach

5.3 ESRM is Cyclical, But Not Always Sequential

Questions for Discussion

References

6: The ESRM Cycle – Step 1: Identify and Prioritize Assets

6.1 Step 1 – Identify and Prioritize Assets

6.2 What is an Asset?

6.2.1 How Do You Identify Business Assets?

6.2.1.1 Finding Tangible Assets

6.2.1.2 Finding Intangible Assets

6.2.2 Who Really “Owns” an Asset?

6.2.2.1 A Building

6.2.2.2 A Server

6.2.2.3 The Web of Assets and Asset Owners/Stakeholders

6.3 How Do You Assign Value to Assets?

6.3.1 Simple Tangible Asset Valuation (Two Methods)

6.3.2 Complex Tangible Asset Valuation

6.3.3 Intangible Asset Valuation (Three Methods)

6.3.4 Business Impact Analysis (BIA)

6.4 How Do You Prioritize Assets for Protection?

6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?

Questions for Discussion

References

Learn More About It

7: The ESRM Cycle – Step 2: Identify and Prioritize Security Risks

7.1 Identify and Prioritize Security Risks

7.2 What is Risk?

7.2.1 The Risk Triangle

7.3 The Risk Assessment Process

7.3.1 ISO Standard and Good Practices

7.3.1.1 The ESRM Difference

7.4 Risk Identification – Finding all the Risks

7.5 Prioritizing Risks for Mitigation

7.5.1 Presenting a Risk Matrix

7.5.1.1 Education vs. Fear

7.5.1.2 Building a Matrix

7.5.1.3 Building a Heat Map

7.5.1.4 Security Risk Decision-Making

7.5.2 Conflicts in Risk Prioritization

7.5.2.1 The Role of Security

7.5.2.2 The Role of the Asset Owner

Discussion Questions

References

Learn More About It

8: The ESRM Cycle – Step 3: Mitigate Prioritized Risks

8.1 Mitigate Prioritized Risks

8.2 Risk Management and Mitigation Responses in Existing Industry Standards

8.2.1 The ISO Risk Management Standard

8.2.2 The ESRM Difference

8.3 Risk Treatment Options

8.4 Risk Mitigation Decisions

8.4.1 Conflicts in Risk Mitigation Decisions

Questions for Discussion

Learn More About It

9: The ESRM Cycle – Step 4: Improve and Advance

9.1 Improve and Advance

9.2 Incident Response

9.3 ESRM Investigations and Root Cause Analysis

9.3.1 Performing a Root Cause Analysis

9.4 Ongoing Security Risk Assessment

9.4.1 Sources of Risk Awareness

9.4.2 Reporting and Employee Vigilance

Questions for Discussion

References

Learn More About It

Part 3: Designing a Program That Works for Your Enterprise

10: Designing an ESRM Program to Fit Your Enterprise

10.1 Design Thinking – A Conceptual Model for Your ESRM Program

10.2 The Phases of Design Thinking

10.2.1 Empathize Phase

10.2.2 Define Phase

10.2.3 Ideate Phase

10.2.4 Prototype Phase

10.2.5 Test Phase

10.3 ESRM Program Rollout in a Formal Design Thinking Model

10.3.1 Educate and Involve the Stakeholders (Empathy)

10.3.2 Iterate the Process (Your Definition and Prototypes)

10.3.3 Mature the Process (Testing and Feedback)

10.3.4 Expand the Process (Begin Again with a Larger Scope)

Questions for Discussion

References

Learn More About It

11: Rolling Out Your ESRM Program

11.1 Rolling out ESRM in the Real World – A Story

11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team)

11.1.1.1 A Deeper Dive (Even More Empathy)

11.1.2 Step 2: Communicating with the Business and Other Stakeholders (Empathy with Our Strategic Partners)

11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming)

11.1.4 Step 4: Piloting the Program (Prototyping and Feedback)

11.1.5 Step 5: Implementation and Evolution Across the Enterprise

11.2 ESRM Program Rollout Checklist

Questions for Discussion

Learn More About It

Part 4: Making ESRM Work for Your Organization

12: ESRM Essentials for Success

12.1 Transparency

12.1.1 Risk Transparency

12.1.2 Process Transparency

12.2 Independence

12.3 Authority

12.4 Scope

12.5 Parallels with Other Risk-Based Functions

12.5.1 What Are Audit, Legal, and Compliance?

12.5.2 What do Legal, Audit and Compliance Functions Need for Success?

Questions for Discussion

References

Learn More About It

13: Security Governance

13.1 What is Corporate Governance?

13.1.1 Defining Corporate Governance

13.1.2 Why is Corporate Governance Important?

13.1.3 Common Themes in Corporate Governance

13.2 The Security Council: ESRM Governance

13.2.1 Who is the ESRM Security Council?

13.2.2 The Security Council’s Role in ESRM

13.2.3 Setting Up a Security Council

13.2.3.1 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs

13.2.3.2 Step 2: Define the Security Council Stakeholders

13.2.3.3 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council

Charter

13.2.3.4 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM

13.2.3.5 Step 5: Develop a List of Potential Quick “Wins” for the ESRM Program

13.2.3.6 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council

Charter.

13.2.4 Security’s Role on the Security Council: What It Is and What It Is Not

Questions for Discussion

References

Learn More About It

14: The Security Organization

14.1 Where Should Security Report in an Organization Structure?

14.1.1 Determining the Optimal Security Organization Reporting Lines

14.1.1.1 Question 1 – What Does Security Need to be Successful?

14.1.1.2 Question 2 – Which Lines of Reporting Carry Obvious Conflicts?

14.1.1.3 Question 3 – What Reporting Structures are Available in This Enterprise?

14.2 The Greatest Success Comes with the Greatest Independence

14.3 Security Organization Internal Structure

14.3.1 Defining Strategic Leadership Roles

14.3.1.1 Aligning Tactical Skillsets with Strategic Management

14.3.1.2 Transitioning Yourself from a Tactical Practitioner to a Strategic Leader

Questions for Discussion

Learn More About It

Part 5: An ESRM Approach to Tactical Security Disciplines

15: ESRM and Investigations

15.1 How does the Investigations Discipline Fit in the ESRM Life Cycle?

15.2 An Investigation is an Incident Response

15.3 An Investigation is the Source of Root Cause Analysis

15.3.1 Identifying Root Causes Through Security Investigations

15.3.1.1 Preparing for a Risk-Based Investigation

15.3.1.2 During an ESRM Investigation

15.3.2 Reporting Root Causes After a Security Investigation

15.4 Investigations Drive Ongoing Risk Assessment

15.4.1 Postmortem Reporting and Responsibilities

15.4.1.1 Security Role and Responsibilities

15.4.1.2 Strategic Partner Role and Responsibilities

15.5 A Deeper Look at the Role of Investigations in ESRM

15.5.1 Comparing Traditional and ESRM Investigations

15.5.1.1 One Successful Outcome

15.5.1.2 All Successful Outcomes May Not Look the Same

15.5.2 The ESRM Difference

15.5.2.1 A Difference in Focus: Fact-Finding Versus Risk Identification

15.5.2.2 A Difference in Goals – Accountability versus Risk Mitigation

Questions for Discussion

Learn More About It

16: ESRM and Physical Security

16.1 How does the Physical Security Discipline Fit in the ESRM Life Cycle?

16.2 Physical Security Activities Help Identify and Prioritize Assets

16.3 Physical Security Activities Help to Identify and Prioritize Risks

16.4 Physical Security Activities Serve to Mitigate Prioritized Risks

16.4.1 Turning a Task into a Security Risk Mitigation Activity

16.5 Physical Security Provides First Line Incident Response

16.6 Physical Security Provides Input to Ongoing Risk Assessment

16.7 A Deeper Look at the Role of Physical Security in ESRM

16.7.1 Comparing Traditional and ESRM Physical Security Methods

16.7.1.1 One Successful Outcome

16.7.1.2 All Successful Outcomes May Not Look the Same

16.7.2 The ESRM Difference

16.7.2.1 A Difference in Perception

16.7.2.2 A Difference in Approach: Risk Management as a Positive Practice

Questions for Discussion

Learn More About It

17: ESRM and Cybersecurity and Information Security

17.1 How does Cyber and Information Security Fit in the ESRM Life Cycle?

17.1.1 The ESRM Cycle and the NIST Cybersecurity Framework

17.1.1.1 Identify

17.1.1.2 Protect

17.1.1.3 Detect

17.1.1.4 Respond

17.1.1.5 Recover

17.2 Identifying and Prioritizing Assets in the Cyber Environment

17.3 Identifying and Prioritizing Risks in the Cyber Environment.

17.3.1 Risk in Cyber and Information Security

17.4 Mitigate Prioritized Risks

17.4.1. Risk Mitigation Planning: The Cybersecurity Framework

17.4.1.1. Performing a Gap Analysis for Risk Mitigation Planning

17.5 Improve and Advance

17.5.1 Using the NIST Framework to Improve and Advance

17.6 A Deeper Look at the Role of Cyber and Information Security in ESRM

17.6.1. Operational Technology – More than Just Data

Questions for Discussion

References

Learn More About It

18: ESRM and Workplace Violence and Threat Management

18.1 How does Workplace Violence Prevention and Threat Management Fit in the ESRM Life Cycle?

18.2 Identifying and Prioritizing Assets in Workplace Violence Prevention and Threat Management Programs

18.2.1 Asset Owners and Stakeholders: Everyone Owns Workplace Violence Prevention, Not Just Security

18.3 Identifying and Prioritizing Risks in Workplace Violence Prevention and Threat Management Programs

18.4 Mitigate Prioritized Risks Through Workplace Violence Prevention and Threat Management Program Design

18.5 Incident Response in Workplace Violence Prevention and Threat Management Programs

18.6 Root Cause Analysis in Workplace Violence Prevention and Threat Management Programs

18.7 Ongoing Risk Assessment in Workplace Violence Prevention and Threat Management Programs

18.8 A Deeper Look at the Role of Workplace Violence Prevention and Threat Management in ESRM

18.8.1 A Difference in Focus: Holistic Workplace Violence Prevention and Threat Management Programs vs.

Workplace Violence Response Training

18.8.2 A Difference in Culture – Workplace Violence Awareness

Questions for Discussion

References

19: ESRM and Business Continuity and Crisis Management

19.1 How does Business Continuity and Crisis Management Fit in the ESRM Life Cycle?

19.2 Identifying and Prioritizing Assets and Risks in a Business Continuity and Crisis Management Program

19.3 Mitigating Prioritized Risks in a Business Continuity and Crisis Management Program

19.4 Incident Response in a Business Continuity and Crisis Management Program

19.5 Root Cause Analysis in a Business Continuity and Crisis Management Program

19.6 Ongoing Risk Assessment in a Business Continuity and Crisis Management Program

19.7 A Deeper Look at the Role of Business Continuity and Crisis Management in ESRM

19.7.1 A Difference in Authority – Getting Traction

19.7.2 A Difference in Transparency – Driving Acceptance Through Simplification

19.7.3 A Difference in Independence – Ensuring Participation Through an Overarching Program

19.7.4 A Difference in Scope – Leveraging Resources for Success

Questions for Discussion

References

Learn More About It

Part 6: ESRM Program Performance and Evaluation

20: ESRM for Business Executives and Boards of Directors

20.1 What do the executives need to know about ESRM?

20.1.1 Point 1 for Executives – Understand What ESRM is and the Value of Implementing ESRM Within the

Organization

20.1.2 Point 2 for Executives – Understand the Underlying Philosophy of ESRM and the Role of Security

20.1.3 Point 3 for Executives – Essential Requirements for Security Success To communicate the basics of the ESRM

philosophy, you will need to make sure your executives have a good understanding of the essential foundational

elements of a successful ESRM program, which are:

20.1.3.1 Transparency

20.1.3.2 Independence

20.1.3.3 Authority

20.1.3.4 Scope

20.1.4 Point 4 for Executives – Understand ESRM Parallels with Other Risk-Based Functions

20.1.5 Tailoring the Conversation

20.2 What is the Role of Executives in an ESRM Program?

20.2.1 The Executive Role of Ensuring a Definition of Security Success

20.2.2 The Executive Role of Ensuring the Correct Security Skillsets

20.2.3 The Executive Role of Ensuring the Essentials for Success are in Place

20.2.4 The Executive Role of Ensuring the Correct Reporting Structure

20.2.5 The Executive Role of Ensuring that the Board or Enterprise Ownership is Aware of the Role of Security and of

Security Risks as a Business-Critical Topic

20.3 What Should Executives and Boards of Directors Expect From ESRM?

20.3.1 Reporting and Metrics

20.3.2 Transparency of Risk

20.3.3 Communications, Notifications, and Awareness

Questions for Discussion

References

Learn More About It

21: Security Budgeting Process

21.1 How has Security Budgeting been Approached Before?

21.1.1 Fear, Uncertainty, Doubt – The FUD Factor

21.1.2 Making the Best of What You are Given, and the “Blame Game”

21.1.3 Return on Security Investment

21.1.3.1 Return on (Non-Security) Investment

21.1.3.2 Whose “Return” is It?

21.2 The ESRM Approach to Security Budgeting

21.2.1 Value Chain Theory

21.2.1.1 Increasing Value to your Primary Function Strategic Partners

21.2.1.2 Is Security a Support or Primary Activity?

21.3 Changing from a Traditional Security Budget to an ESRM Budget

21.3.1 Discover Existing Security Tasks and Activities

21.3.2 Personnel Discovery

21.3.3 Financial Discovery

21.3.4 Building the Unified Budget

21.4 Ongoing/Annual Budgeting

21.4.1 Budget Updates

21.4.2 Budget Decision Making and Risk Tolerance

21.5 Procurement Partnerships and the Role of Procurement in the Budget Process

Questions for Discussion

References

Learn More About It

22: Reporting and Metrics That Matter

22.1 Why are Security Metrics Important?

22.2 What is the Traditional View of Security Metrics Reporting?

22.3 What is the ESRM View of Security Metrics Reporting?

22.3.1 Metrics of Risk Tolerance

22.3.1.1 Metrics of Risk Tolerance for Security Disciplines

22.3.2 Metrics of Security Efficiency

22.3.3 Comparing ESRM and Traditional Security Reporting

22.4 Building Metrics Reports

22.4.1 Communicating to an Executive Audience

22.4.1.1 Planning a Security Report for Executives

22.4.1.2 Building a Security Report for Executives

22.4.2 Communicating to the Security Council Audience

22.4.2.1 Planning a Security Report for the Security Council

22.4.2.2 Building a Security Report for the Security Council

22.4.3 Communicating to a Strategic Partner Audience

22.4.3.1 Planning a Security Report for Strategic Partners

22.4.3.2 Building a Security Report for Strategic Partners

22.4.4 Communicating to Security Functional Leadership

22.4.4.1 Planning a Security Report for Security Management

22.4.4.2 Building a Security Report for Security Management

Questions for Discussion

Learn More About It

23: ESRM and the Path to Security Convergence

23.1 The Common View of Security Convergence

23.1.1 Technological Convergence

23.1.2 Organization Convergence

23.2 The ESRM View of Security Convergence

23.2.1 Convergence of Philosophy

23.3 Why ESRM Often Leads to Converged Organizations

23.3.1 Changed Understanding of Roles Leads to Changed Structures

23.3.2 Changed Understanding of Risks Leads to Changed Structures

23.3.3 Changed Understanding of Practices Leads to Changed Structures

23.3.4 The Convergence Decision

23.4 The Benefits of a Converged Organization in an ESRM Security Program

23.4.1 The Converged Security Team Aligns All Security with the Enterprise Business Mission

23.4.2 The Converged Security Team Helps Change the Perception of Security

23.4.3 A Converged Security Program Unifies Security Awareness Efforts

23.4.4 A Converged Security Program Reduces Employee Confusion

23.4.5 A Converged Security Program Promotes Efficiency of Security Operations

23.4.6 A Converged Security Program Optimizes the Risk Profile

23.5 The Challenges of Converging an Organization in an ESRM Security Program

23.5.1 The “Culture” Challenge

23.5.2 The “Control” Challenge

23.5.3 The “Different Tasks” Challenge

23.6 Executive Leadership of a Converged Organization in an ESRM Environment

23.6.1 CSO Requirements in a Converged ESRM Organization

23.7 If Your Enterprise Chooses to Converge

Questions for Discussion

References

Learn More About It

Credits

About the Authors

This book is US$10
To get free sample pages OR Buy this book


Share this Book!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.