Enterprise Security Risk Management: Concepts and Applications
By Brian J. Allen and Rachelle Loyear
Table of Contents:
Copyright
Dedication
Acknowledgments
Foreword
Part 1: Why Enterprise Security Risk Management (ESRM)?
1: What is Enterprise Security Risk Management?
1.1 ESRM Defined
1.1.1 Enterprise
1.1.2 Security Risk
1.1.3 Risk Principles
1.2 ESRM Overview
1.2.1 ESRM Mission and Goals
1.2.2 ESRM Life Cycle – A Quick Look
1.2.3 Your Role in ESRM
1.3 Why is ESRM Important?
1.3.1 Traditional Corporate Security Scenarios: Something is Missing
1.3.2 ESRM as a Driver for Consistency
1.4 What is ESRM Not?
1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)?
Title page
Cover
Questions for Discussion
References
Learn More About It
2: How Can ESRM Help You?
2.1 Security Function Professionals
2.1.1 The Student
2.1.1.1 How Can ESRM Help You?
2.1.2 The New Security Practitioner
2.1.2.1 How Can ESRM Help You?
2.1.3 The Security Manager or Executive
2.1.3.1 How Can ESRM Help You?
2.1.4 The Transitioning Public Sector Professional
2.1.4.1 How Can ESRM Help You?
2.2 Business Functional Professionals
2.2.1 The Business Function Manager
2.2.1.1 How Can ESRM Help You?
2.2.2 The Senior Executive
2.2.2.1 How Can ESRM Help Your Organization?
2.2.3 The Company Board of Directors
2.2.3.1 How Can ESRM Help Your Organization?
Questions for Discussion
References
3: How Can ESRM Help Your Security Program?
3.1 The Traditional View of Security and Why the Industry Must Change
3.1.1 The Traditional View of Security
3.1.1.1 What Does Security Do? – The Answer from the Security Practitioner
3.1.1.2 What Does Security Do? – The Answer from the Board of Directors and Senior Executives
3.1.2 Why the Security Industry Needs to Define “Security”
3.1.3 The ESRM View of Security – A Profession, not a Trade
3.1.3.1. Managing Security Risks
3.1.4 ESRM-Based Security – Moving from Task Management to Risk Management
3.1.4.1 Security Task Management
3.1.4.2 Security Risk Management
3.1.4.3 The ESRM Solution: A New Philosophy
3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People?
3.1.5.1 The Missing Network Switch: A Story of Security Frustration
3.1.5.1.1 The Traditional Security Environment
3.1.5.1.2 The ESRM Security Environment
3.1.5.1.3 The ESRM Difference
3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures
3.2.1 Security and Risk Threats are Real
3.2.2 The Risk Conversation is Changing Rapidly
3.3 What Does “Security Success” Look Like?
3.3.1 Success is Not Just Measured by Numbers
3.3.2 In Security Success, Intangibles are Important
3.3.3 Your Answers Create Your Definition of “Success”
3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success
3.3.5 The ESRM Philosophy of Security Success
3.3.5.1 Security Becomes Strategic
3.3.5.2 Security Becomes a Business Function
Questions for Discussion
References
Learn More About It
Part 2: The Fundamentals of ESRM
4: Preparing for an ESRM Program
4.1 Understand the Business and its Mission
4.1.1 Holistic Understanding of Risk
4.1.2 The Needs of Your Business
4.1.3 Sources of Information
4.1.3.1 Company Insiders
4.1.3.2 Company Published Communications
4.1.3.3 Outsiders and The Media
4.1.3.4 Observing Non-Verbal Communication – The Underlying Culture
4.2 Understand the Business Environment
4.2.1 Examining the Environment the Business Operates In
4.3 Understand Your Stakeholders
4.3.1 What is a Stakeholder?
4.3.1.1 Finding Your Stakeholders: A Closer Look
4.3.2 Why Stakeholders Matter
4.3.2.1 Risk Stakeholder Conflict
Questions for Discussion
References
Learn More About It
5: The ESRM Cycle – An Overview
5.1 What is ESRM? – A Closer Look
5.1.1 Similarities to Industry Life Cycles
5.1.2 Application of the ESRM Model
5.2 The ESRM Life Cycle Model in Action
5.2.1 A Task Management Approach
5.2.2 An ESRM Approach
5.3 ESRM is Cyclical, But Not Always Sequential
Questions for Discussion
References
6: The ESRM Cycle – Step 1: Identify and Prioritize Assets
6.1 Step 1 – Identify and Prioritize Assets
6.2 What is an Asset?
6.2.1 How Do You Identify Business Assets?
6.2.1.1 Finding Tangible Assets
6.2.1.2 Finding Intangible Assets
6.2.2 Who Really “Owns” an Asset?
6.2.2.1 A Building
6.2.2.2 A Server
6.2.2.3 The Web of Assets and Asset Owners/Stakeholders
6.3 How Do You Assign Value to Assets?
6.3.1 Simple Tangible Asset Valuation (Two Methods)
6.3.2 Complex Tangible Asset Valuation
6.3.3 Intangible Asset Valuation (Three Methods)
6.3.4 Business Impact Analysis (BIA)
6.4 How Do You Prioritize Assets for Protection?
6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?
Questions for Discussion
References
Learn More About It
7: The ESRM Cycle – Step 2: Identify and Prioritize Security Risks
7.1 Identify and Prioritize Security Risks
7.2 What is Risk?
7.2.1 The Risk Triangle
7.3 The Risk Assessment Process
7.3.1 ISO Standard and Good Practices
7.3.1.1 The ESRM Difference
7.4 Risk Identification – Finding all the Risks
7.5 Prioritizing Risks for Mitigation
7.5.1 Presenting a Risk Matrix
7.5.1.1 Education vs. Fear
7.5.1.2 Building a Matrix
7.5.1.3 Building a Heat Map
7.5.1.4 Security Risk Decision-Making
7.5.2 Conflicts in Risk Prioritization
7.5.2.1 The Role of Security
7.5.2.2 The Role of the Asset Owner
Discussion Questions
References
Learn More About It
8: The ESRM Cycle – Step 3: Mitigate Prioritized Risks
8.1 Mitigate Prioritized Risks
8.2 Risk Management and Mitigation Responses in Existing Industry Standards
8.2.1 The ISO Risk Management Standard
8.2.2 The ESRM Difference
8.3 Risk Treatment Options
8.4 Risk Mitigation Decisions
8.4.1 Conflicts in Risk Mitigation Decisions
Questions for Discussion
Learn More About It
9: The ESRM Cycle – Step 4: Improve and Advance
9.1 Improve and Advance
9.2 Incident Response
9.3 ESRM Investigations and Root Cause Analysis
9.3.1 Performing a Root Cause Analysis
9.4 Ongoing Security Risk Assessment
9.4.1 Sources of Risk Awareness
9.4.2 Reporting and Employee Vigilance
Questions for Discussion
References
Learn More About It
Part 3: Designing a Program That Works for Your Enterprise
10: Designing an ESRM Program to Fit Your Enterprise
10.1 Design Thinking – A Conceptual Model for Your ESRM Program
10.2 The Phases of Design Thinking
10.2.1 Empathize Phase
10.2.2 Define Phase
10.2.3 Ideate Phase
10.2.4 Prototype Phase
10.2.5 Test Phase
10.3 ESRM Program Rollout in a Formal Design Thinking Model
10.3.1 Educate and Involve the Stakeholders (Empathy)
10.3.2 Iterate the Process (Your Definition and Prototypes)
10.3.3 Mature the Process (Testing and Feedback)
10.3.4 Expand the Process (Begin Again with a Larger Scope)
Questions for Discussion
References
Learn More About It
11: Rolling Out Your ESRM Program
11.1 Rolling out ESRM in the Real World – A Story
11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team)
11.1.1.1 A Deeper Dive (Even More Empathy)
11.1.2 Step 2: Communicating with the Business and Other Stakeholders (Empathy with Our Strategic Partners)
11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming)
11.1.4 Step 4: Piloting the Program (Prototyping and Feedback)
11.1.5 Step 5: Implementation and Evolution Across the Enterprise
11.2 ESRM Program Rollout Checklist
Questions for Discussion
Learn More About It
Part 4: Making ESRM Work for Your Organization
12: ESRM Essentials for Success
12.1 Transparency
12.1.1 Risk Transparency
12.1.2 Process Transparency
12.2 Independence
12.3 Authority
12.4 Scope
12.5 Parallels with Other Risk-Based Functions
12.5.1 What Are Audit, Legal, and Compliance?
12.5.2 What do Legal, Audit and Compliance Functions Need for Success?
Questions for Discussion
References
Learn More About It
13: Security Governance
13.1 What is Corporate Governance?
13.1.1 Defining Corporate Governance
13.1.2 Why is Corporate Governance Important?
13.1.3 Common Themes in Corporate Governance
13.2 The Security Council: ESRM Governance
13.2.1 Who is the ESRM Security Council?
13.2.2 The Security Council’s Role in ESRM
13.2.3 Setting Up a Security Council
13.2.3.1 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs
13.2.3.2 Step 2: Define the Security Council Stakeholders
13.2.3.3 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council
Charter
13.2.3.4 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM
13.2.3.5 Step 5: Develop a List of Potential Quick “Wins” for the ESRM Program
13.2.3.6 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council
Charter.
13.2.4 Security’s Role on the Security Council: What It Is and What It Is Not
Questions for Discussion
References
Learn More About It
14: The Security Organization
14.1 Where Should Security Report in an Organization Structure?
14.1.1 Determining the Optimal Security Organization Reporting Lines
14.1.1.1 Question 1 – What Does Security Need to be Successful?
14.1.1.2 Question 2 – Which Lines of Reporting Carry Obvious Conflicts?
14.1.1.3 Question 3 – What Reporting Structures are Available in This Enterprise?
14.2 The Greatest Success Comes with the Greatest Independence
14.3 Security Organization Internal Structure
14.3.1 Defining Strategic Leadership Roles
14.3.1.1 Aligning Tactical Skillsets with Strategic Management
14.3.1.2 Transitioning Yourself from a Tactical Practitioner to a Strategic Leader
Questions for Discussion
Learn More About It
Part 5: An ESRM Approach to Tactical Security Disciplines
15: ESRM and Investigations
15.1 How does the Investigations Discipline Fit in the ESRM Life Cycle?
15.2 An Investigation is an Incident Response
15.3 An Investigation is the Source of Root Cause Analysis
15.3.1 Identifying Root Causes Through Security Investigations
15.3.1.1 Preparing for a Risk-Based Investigation
15.3.1.2 During an ESRM Investigation
15.3.2 Reporting Root Causes After a Security Investigation
15.4 Investigations Drive Ongoing Risk Assessment
15.4.1 Postmortem Reporting and Responsibilities
15.4.1.1 Security Role and Responsibilities
15.4.1.2 Strategic Partner Role and Responsibilities
15.5 A Deeper Look at the Role of Investigations in ESRM
15.5.1 Comparing Traditional and ESRM Investigations
15.5.1.1 One Successful Outcome
15.5.1.2 All Successful Outcomes May Not Look the Same
15.5.2 The ESRM Difference
15.5.2.1 A Difference in Focus: Fact-Finding Versus Risk Identification
15.5.2.2 A Difference in Goals – Accountability versus Risk Mitigation
Questions for Discussion
Learn More About It
16: ESRM and Physical Security
16.1 How does the Physical Security Discipline Fit in the ESRM Life Cycle?
16.2 Physical Security Activities Help Identify and Prioritize Assets
16.3 Physical Security Activities Help to Identify and Prioritize Risks
16.4 Physical Security Activities Serve to Mitigate Prioritized Risks
16.4.1 Turning a Task into a Security Risk Mitigation Activity
16.5 Physical Security Provides First Line Incident Response
16.6 Physical Security Provides Input to Ongoing Risk Assessment
16.7 A Deeper Look at the Role of Physical Security in ESRM
16.7.1 Comparing Traditional and ESRM Physical Security Methods
16.7.1.1 One Successful Outcome
16.7.1.2 All Successful Outcomes May Not Look the Same
16.7.2 The ESRM Difference
16.7.2.1 A Difference in Perception
16.7.2.2 A Difference in Approach: Risk Management as a Positive Practice
Questions for Discussion
Learn More About It
17: ESRM and Cybersecurity and Information Security
17.1 How does Cyber and Information Security Fit in the ESRM Life Cycle?
17.1.1 The ESRM Cycle and the NIST Cybersecurity Framework
17.1.1.1 Identify
17.1.1.2 Protect
17.1.1.3 Detect
17.1.1.4 Respond
17.1.1.5 Recover
17.2 Identifying and Prioritizing Assets in the Cyber Environment
17.3 Identifying and Prioritizing Risks in the Cyber Environment.
17.3.1 Risk in Cyber and Information Security
17.4 Mitigate Prioritized Risks
17.4.1. Risk Mitigation Planning: The Cybersecurity Framework
17.4.1.1. Performing a Gap Analysis for Risk Mitigation Planning
17.5 Improve and Advance
17.5.1 Using the NIST Framework to Improve and Advance
17.6 A Deeper Look at the Role of Cyber and Information Security in ESRM
17.6.1. Operational Technology – More than Just Data
Questions for Discussion
References
Learn More About It
18: ESRM and Workplace Violence and Threat Management
18.1 How does Workplace Violence Prevention and Threat Management Fit in the ESRM Life Cycle?
18.2 Identifying and Prioritizing Assets in Workplace Violence Prevention and Threat Management Programs
18.2.1 Asset Owners and Stakeholders: Everyone Owns Workplace Violence Prevention, Not Just Security
18.3 Identifying and Prioritizing Risks in Workplace Violence Prevention and Threat Management Programs
18.4 Mitigate Prioritized Risks Through Workplace Violence Prevention and Threat Management Program Design
18.5 Incident Response in Workplace Violence Prevention and Threat Management Programs
18.6 Root Cause Analysis in Workplace Violence Prevention and Threat Management Programs
18.7 Ongoing Risk Assessment in Workplace Violence Prevention and Threat Management Programs
18.8 A Deeper Look at the Role of Workplace Violence Prevention and Threat Management in ESRM
18.8.1 A Difference in Focus: Holistic Workplace Violence Prevention and Threat Management Programs vs.
Workplace Violence Response Training
18.8.2 A Difference in Culture – Workplace Violence Awareness
Questions for Discussion
References
19: ESRM and Business Continuity and Crisis Management
19.1 How does Business Continuity and Crisis Management Fit in the ESRM Life Cycle?
19.2 Identifying and Prioritizing Assets and Risks in a Business Continuity and Crisis Management Program
19.3 Mitigating Prioritized Risks in a Business Continuity and Crisis Management Program
19.4 Incident Response in a Business Continuity and Crisis Management Program
19.5 Root Cause Analysis in a Business Continuity and Crisis Management Program
19.6 Ongoing Risk Assessment in a Business Continuity and Crisis Management Program
19.7 A Deeper Look at the Role of Business Continuity and Crisis Management in ESRM
19.7.1 A Difference in Authority – Getting Traction
19.7.2 A Difference in Transparency – Driving Acceptance Through Simplification
19.7.3 A Difference in Independence – Ensuring Participation Through an Overarching Program
19.7.4 A Difference in Scope – Leveraging Resources for Success
Questions for Discussion
References
Learn More About It
Part 6: ESRM Program Performance and Evaluation
20: ESRM for Business Executives and Boards of Directors
20.1 What do the executives need to know about ESRM?
20.1.1 Point 1 for Executives – Understand What ESRM is and the Value of Implementing ESRM Within the
Organization
20.1.2 Point 2 for Executives – Understand the Underlying Philosophy of ESRM and the Role of Security
20.1.3 Point 3 for Executives – Essential Requirements for Security Success To communicate the basics of the ESRM
philosophy, you will need to make sure your executives have a good understanding of the essential foundational
elements of a successful ESRM program, which are:
20.1.3.1 Transparency
20.1.3.2 Independence
20.1.3.3 Authority
20.1.3.4 Scope
20.1.4 Point 4 for Executives – Understand ESRM Parallels with Other Risk-Based Functions
20.1.5 Tailoring the Conversation
20.2 What is the Role of Executives in an ESRM Program?
20.2.1 The Executive Role of Ensuring a Definition of Security Success
20.2.2 The Executive Role of Ensuring the Correct Security Skillsets
20.2.3 The Executive Role of Ensuring the Essentials for Success are in Place
20.2.4 The Executive Role of Ensuring the Correct Reporting Structure
20.2.5 The Executive Role of Ensuring that the Board or Enterprise Ownership is Aware of the Role of Security and of
Security Risks as a Business-Critical Topic
20.3 What Should Executives and Boards of Directors Expect From ESRM?
20.3.1 Reporting and Metrics
20.3.2 Transparency of Risk
20.3.3 Communications, Notifications, and Awareness
Questions for Discussion
References
Learn More About It
21: Security Budgeting Process
21.1 How has Security Budgeting been Approached Before?
21.1.1 Fear, Uncertainty, Doubt – The FUD Factor
21.1.2 Making the Best of What You are Given, and the “Blame Game”
21.1.3 Return on Security Investment
21.1.3.1 Return on (Non-Security) Investment
21.1.3.2 Whose “Return” is It?
21.2 The ESRM Approach to Security Budgeting
21.2.1 Value Chain Theory
21.2.1.1 Increasing Value to your Primary Function Strategic Partners
21.2.1.2 Is Security a Support or Primary Activity?
21.3 Changing from a Traditional Security Budget to an ESRM Budget
21.3.1 Discover Existing Security Tasks and Activities
21.3.2 Personnel Discovery
21.3.3 Financial Discovery
21.3.4 Building the Unified Budget
21.4 Ongoing/Annual Budgeting
21.4.1 Budget Updates
21.4.2 Budget Decision Making and Risk Tolerance
21.5 Procurement Partnerships and the Role of Procurement in the Budget Process
Questions for Discussion
References
Learn More About It
22: Reporting and Metrics That Matter
22.1 Why are Security Metrics Important?
22.2 What is the Traditional View of Security Metrics Reporting?
22.3 What is the ESRM View of Security Metrics Reporting?
22.3.1 Metrics of Risk Tolerance
22.3.1.1 Metrics of Risk Tolerance for Security Disciplines
22.3.2 Metrics of Security Efficiency
22.3.3 Comparing ESRM and Traditional Security Reporting
22.4 Building Metrics Reports
22.4.1 Communicating to an Executive Audience
22.4.1.1 Planning a Security Report for Executives
22.4.1.2 Building a Security Report for Executives
22.4.2 Communicating to the Security Council Audience
22.4.2.1 Planning a Security Report for the Security Council
22.4.2.2 Building a Security Report for the Security Council
22.4.3 Communicating to a Strategic Partner Audience
22.4.3.1 Planning a Security Report for Strategic Partners
22.4.3.2 Building a Security Report for Strategic Partners
22.4.4 Communicating to Security Functional Leadership
22.4.4.1 Planning a Security Report for Security Management
22.4.4.2 Building a Security Report for Security Management
Questions for Discussion
Learn More About It
23: ESRM and the Path to Security Convergence
23.1 The Common View of Security Convergence
23.1.1 Technological Convergence
23.1.2 Organization Convergence
23.2 The ESRM View of Security Convergence
23.2.1 Convergence of Philosophy
23.3 Why ESRM Often Leads to Converged Organizations
23.3.1 Changed Understanding of Roles Leads to Changed Structures
23.3.2 Changed Understanding of Risks Leads to Changed Structures
23.3.3 Changed Understanding of Practices Leads to Changed Structures
23.3.4 The Convergence Decision
23.4 The Benefits of a Converged Organization in an ESRM Security Program
23.4.1 The Converged Security Team Aligns All Security with the Enterprise Business Mission
23.4.2 The Converged Security Team Helps Change the Perception of Security
23.4.3 A Converged Security Program Unifies Security Awareness Efforts
23.4.4 A Converged Security Program Reduces Employee Confusion
23.4.5 A Converged Security Program Promotes Efficiency of Security Operations
23.4.6 A Converged Security Program Optimizes the Risk Profile
23.5 The Challenges of Converging an Organization in an ESRM Security Program
23.5.1 The “Culture” Challenge
23.5.2 The “Control” Challenge
23.5.3 The “Different Tasks” Challenge
23.6 Executive Leadership of a Converged Organization in an ESRM Environment
23.6.1 CSO Requirements in a Converged ESRM Organization
23.7 If Your Enterprise Chooses to Converge
Questions for Discussion
References
Learn More About It
Credits
About the Authors
Enterprise Security Risk Management: Concepts and Applications
By Brian J. Allen and Rachelle Loyear
Table of Contents
Copyright
Dedication
Acknowledgments
Foreword
Part 1: Why Enterprise Security Risk Management (ESRM)?
1: What is Enterprise Security Risk Management?
1.1 ESRM Defined
1.1.1 Enterprise
1.1.2 Security Risk
1.1.3 Risk Principles
1.2 ESRM Overview
1.2.1 ESRM Mission and Goals
1.2.2 ESRM Life Cycle – A Quick Look
1.2.3 Your Role in ESRM
1.3 Why is ESRM Important?
1.3.1 Traditional Corporate Security Scenarios: Something is Missing
1.3.2 ESRM as a Driver for Consistency
1.4 What is ESRM Not?
1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)?
Title page
Cover
Questions for Discussion
References
Learn More About It
2: How Can ESRM Help You?
2.1 Security Function Professionals
2.1.1 The Student
2.1.1.1 How Can ESRM Help You?
2.1.2 The New Security Practitioner
2.1.2.1 How Can ESRM Help You?
2.1.3 The Security Manager or Executive
2.1.3.1 How Can ESRM Help You?
2.1.4 The Transitioning Public Sector Professional
2.1.4.1 How Can ESRM Help You?
2.2 Business Functional Professionals
2.2.1 The Business Function Manager
2.2.1.1 How Can ESRM Help You?
2.2.2 The Senior Executive
2.2.2.1 How Can ESRM Help Your Organization?
2.2.3 The Company Board of Directors
2.2.3.1 How Can ESRM Help Your Organization?
Questions for Discussion
References
3: How Can ESRM Help Your Security Program?
3.1 The Traditional View of Security and Why the Industry Must Change
3.1.1 The Traditional View of Security
3.1.1.1 What Does Security Do? – The Answer from the Security Practitioner
3.1.1.2 What Does Security Do? – The Answer from the Board of Directors and Senior Executives
3.1.2 Why the Security Industry Needs to Define “Security”
3.1.3 The ESRM View of Security – A Profession, not a Trade
3.1.3.1. Managing Security Risks
3.1.4 ESRM-Based Security – Moving from Task Management to Risk Management
3.1.4.1 Security Task Management
3.1.4.2 Security Risk Management
3.1.4.3 The ESRM Solution: A New Philosophy
3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People?
3.1.5.1 The Missing Network Switch: A Story of Security Frustration
3.1.5.1.1 The Traditional Security Environment
3.1.5.1.2 The ESRM Security Environment
3.1.5.1.3 The ESRM Difference
3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures
3.2.1 Security and Risk Threats are Real
3.2.2 The Risk Conversation is Changing Rapidly
3.3 What Does “Security Success” Look Like?
3.3.1 Success is Not Just Measured by Numbers
3.3.2 In Security Success, Intangibles are Important
3.3.3 Your Answers Create Your Definition of “Success”
3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success
3.3.5 The ESRM Philosophy of Security Success
3.3.5.1 Security Becomes Strategic
3.3.5.2 Security Becomes a Business Function
Questions for Discussion
References
Learn More About It
Part 2: The Fundamentals of ESRM
4: Preparing for an ESRM Program
4.1 Understand the Business and its Mission
4.1.1 Holistic Understanding of Risk
4.1.2 The Needs of Your Business
4.1.3 Sources of Information
4.1.3.1 Company Insiders
4.1.3.2 Company Published Communications
4.1.3.3 Outsiders and The Media
4.1.3.4 Observing Non-Verbal Communication – The Underlying Culture
4.2 Understand the Business Environment
4.2.1 Examining the Environment the Business Operates In
4.3 Understand Your Stakeholders
4.3.1 What is a Stakeholder?
4.3.1.1 Finding Your Stakeholders: A Closer Look
4.3.2 Why Stakeholders Matter
4.3.2.1 Risk Stakeholder Conflict
Questions for Discussion
References
Learn More About It
5: The ESRM Cycle – An Overview
5.1 What is ESRM? – A Closer Look
5.1.1 Similarities to Industry Life Cycles
5.1.2 Application of the ESRM Model
5.2 The ESRM Life Cycle Model in Action
5.2.1 A Task Management Approach
5.2.2 An ESRM Approach
5.3 ESRM is Cyclical, But Not Always Sequential
Questions for Discussion
References
6: The ESRM Cycle – Step 1: Identify and Prioritize Assets
6.1 Step 1 – Identify and Prioritize Assets
6.2 What is an Asset?
6.2.1 How Do You Identify Business Assets?
6.2.1.1 Finding Tangible Assets
6.2.1.2 Finding Intangible Assets
6.2.2 Who Really “Owns” an Asset?
6.2.2.1 A Building
6.2.2.2 A Server
6.2.2.3 The Web of Assets and Asset Owners/Stakeholders
6.3 How Do You Assign Value to Assets?
6.3.1 Simple Tangible Asset Valuation (Two Methods)
6.3.2 Complex Tangible Asset Valuation
6.3.3 Intangible Asset Valuation (Three Methods)
6.3.4 Business Impact Analysis (BIA)
6.4 How Do You Prioritize Assets for Protection?
6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?
Questions for Discussion
References
Learn More About It
7: The ESRM Cycle – Step 2: Identify and Prioritize Security Risks
7.1 Identify and Prioritize Security Risks
7.2 What is Risk?
7.2.1 The Risk Triangle
7.3 The Risk Assessment Process
7.3.1 ISO Standard and Good Practices
7.3.1.1 The ESRM Difference
7.4 Risk Identification – Finding all the Risks
7.5 Prioritizing Risks for Mitigation
7.5.1 Presenting a Risk Matrix
7.5.1.1 Education vs. Fear
7.5.1.2 Building a Matrix
7.5.1.3 Building a Heat Map
7.5.1.4 Security Risk Decision-Making
7.5.2 Conflicts in Risk Prioritization
7.5.2.1 The Role of Security
7.5.2.2 The Role of the Asset Owner
Discussion Questions
References
Learn More About It
8: The ESRM Cycle – Step 3: Mitigate Prioritized Risks
8.1 Mitigate Prioritized Risks
8.2 Risk Management and Mitigation Responses in Existing Industry Standards
8.2.1 The ISO Risk Management Standard
8.2.2 The ESRM Difference
8.3 Risk Treatment Options
8.4 Risk Mitigation Decisions
8.4.1 Conflicts in Risk Mitigation Decisions
Questions for Discussion
Learn More About It
9: The ESRM Cycle – Step 4: Improve and Advance
9.1 Improve and Advance
9.2 Incident Response
9.3 ESRM Investigations and Root Cause Analysis
9.3.1 Performing a Root Cause Analysis
9.4 Ongoing Security Risk Assessment
9.4.1 Sources of Risk Awareness
9.4.2 Reporting and Employee Vigilance
Questions for Discussion
References
Learn More About It
Part 3: Designing a Program That Works for Your Enterprise
10: Designing an ESRM Program to Fit Your Enterprise
10.1 Design Thinking – A Conceptual Model for Your ESRM Program
10.2 The Phases of Design Thinking
10.2.1 Empathize Phase
10.2.2 Define Phase
10.2.3 Ideate Phase
10.2.4 Prototype Phase
10.2.5 Test Phase
10.3 ESRM Program Rollout in a Formal Design Thinking Model
10.3.1 Educate and Involve the Stakeholders (Empathy)
10.3.2 Iterate the Process (Your Definition and Prototypes)
10.3.3 Mature the Process (Testing and Feedback)
10.3.4 Expand the Process (Begin Again with a Larger Scope)
Questions for Discussion
References
Learn More About It
11: Rolling Out Your ESRM Program
11.1 Rolling out ESRM in the Real World – A Story
11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team)
11.1.1.1 A Deeper Dive (Even More Empathy)
11.1.2 Step 2: Communicating with the Business and Other Stakeholders (Empathy with Our Strategic Partners)
11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming)
11.1.4 Step 4: Piloting the Program (Prototyping and Feedback)
11.1.5 Step 5: Implementation and Evolution Across the Enterprise
11.2 ESRM Program Rollout Checklist
Questions for Discussion
Learn More About It
Part 4: Making ESRM Work for Your Organization
12: ESRM Essentials for Success
12.1 Transparency
12.1.1 Risk Transparency
12.1.2 Process Transparency
12.2 Independence
12.3 Authority
12.4 Scope
12.5 Parallels with Other Risk-Based Functions
12.5.1 What Are Audit, Legal, and Compliance?
12.5.2 What do Legal, Audit and Compliance Functions Need for Success?
Questions for Discussion
References
Learn More About It
13: Security Governance
13.1 What is Corporate Governance?
13.1.1 Defining Corporate Governance
13.1.2 Why is Corporate Governance Important?
13.1.3 Common Themes in Corporate Governance
13.2 The Security Council: ESRM Governance
13.2.1 Who is the ESRM Security Council?
13.2.2 The Security Council’s Role in ESRM
13.2.3 Setting Up a Security Council
13.2.3.1 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs
13.2.3.2 Step 2: Define the Security Council Stakeholders
13.2.3.3 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council
Charter
13.2.3.4 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM
13.2.3.5 Step 5: Develop a List of Potential Quick “Wins” for the ESRM Program
13.2.3.6 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council
Charter.
13.2.4 Security’s Role on the Security Council: What It Is and What It Is Not
Questions for Discussion
References
Learn More About It
14: The Security Organization
14.1 Where Should Security Report in an Organization Structure?
14.1.1 Determining the Optimal Security Organization Reporting Lines
14.1.1.1 Question 1 – What Does Security Need to be Successful?
14.1.1.2 Question 2 – Which Lines of Reporting Carry Obvious Conflicts?
14.1.1.3 Question 3 – What Reporting Structures are Available in This Enterprise?
14.2 The Greatest Success Comes with the Greatest Independence
14.3 Security Organization Internal Structure
14.3.1 Defining Strategic Leadership Roles
14.3.1.1 Aligning Tactical Skillsets with Strategic Management
14.3.1.2 Transitioning Yourself from a Tactical Practitioner to a Strategic Leader
Questions for Discussion
Learn More About It
Part 5: An ESRM Approach to Tactical Security Disciplines
15: ESRM and Investigations
15.1 How does the Investigations Discipline Fit in the ESRM Life Cycle?
15.2 An Investigation is an Incident Response
15.3 An Investigation is the Source of Root Cause Analysis
15.3.1 Identifying Root Causes Through Security Investigations
15.3.1.1 Preparing for a Risk-Based Investigation
15.3.1.2 During an ESRM Investigation
15.3.2 Reporting Root Causes After a Security Investigation
15.4 Investigations Drive Ongoing Risk Assessment
15.4.1 Postmortem Reporting and Responsibilities
15.4.1.1 Security Role and Responsibilities
15.4.1.2 Strategic Partner Role and Responsibilities
15.5 A Deeper Look at the Role of Investigations in ESRM
15.5.1 Comparing Traditional and ESRM Investigations
15.5.1.1 One Successful Outcome
15.5.1.2 All Successful Outcomes May Not Look the Same
15.5.2 The ESRM Difference
15.5.2.1 A Difference in Focus: Fact-Finding Versus Risk Identification
15.5.2.2 A Difference in Goals – Accountability versus Risk Mitigation
Questions for Discussion
Learn More About It
16: ESRM and Physical Security
16.1 How does the Physical Security Discipline Fit in the ESRM Life Cycle?
16.2 Physical Security Activities Help Identify and Prioritize Assets
16.3 Physical Security Activities Help to Identify and Prioritize Risks
16.4 Physical Security Activities Serve to Mitigate Prioritized Risks
16.4.1 Turning a Task into a Security Risk Mitigation Activity
16.5 Physical Security Provides First Line Incident Response
16.6 Physical Security Provides Input to Ongoing Risk Assessment
16.7 A Deeper Look at the Role of Physical Security in ESRM
16.7.1 Comparing Traditional and ESRM Physical Security Methods
16.7.1.1 One Successful Outcome
16.7.1.2 All Successful Outcomes May Not Look the Same
16.7.2 The ESRM Difference
16.7.2.1 A Difference in Perception
16.7.2.2 A Difference in Approach: Risk Management as a Positive Practice
Questions for Discussion
Learn More About It
17: ESRM and Cybersecurity and Information Security
17.1 How does Cyber and Information Security Fit in the ESRM Life Cycle?
17.1.1 The ESRM Cycle and the NIST Cybersecurity Framework
17.1.1.1 Identify
17.1.1.2 Protect
17.1.1.3 Detect
17.1.1.4 Respond
17.1.1.5 Recover
17.2 Identifying and Prioritizing Assets in the Cyber Environment
17.3 Identifying and Prioritizing Risks in the Cyber Environment.
17.3.1 Risk in Cyber and Information Security
17.4 Mitigate Prioritized Risks
17.4.1. Risk Mitigation Planning: The Cybersecurity Framework
17.4.1.1. Performing a Gap Analysis for Risk Mitigation Planning
17.5 Improve and Advance
17.5.1 Using the NIST Framework to Improve and Advance
17.6 A Deeper Look at the Role of Cyber and Information Security in ESRM
17.6.1. Operational Technology – More than Just Data
Questions for Discussion
References
Learn More About It
18: ESRM and Workplace Violence and Threat Management
18.1 How does Workplace Violence Prevention and Threat Management Fit in the ESRM Life Cycle?
18.2 Identifying and Prioritizing Assets in Workplace Violence Prevention and Threat Management Programs
18.2.1 Asset Owners and Stakeholders: Everyone Owns Workplace Violence Prevention, Not Just Security
18.3 Identifying and Prioritizing Risks in Workplace Violence Prevention and Threat Management Programs
18.4 Mitigate Prioritized Risks Through Workplace Violence Prevention and Threat Management Program Design
18.5 Incident Response in Workplace Violence Prevention and Threat Management Programs
18.6 Root Cause Analysis in Workplace Violence Prevention and Threat Management Programs
18.7 Ongoing Risk Assessment in Workplace Violence Prevention and Threat Management Programs
18.8 A Deeper Look at the Role of Workplace Violence Prevention and Threat Management in ESRM
18.8.1 A Difference in Focus: Holistic Workplace Violence Prevention and Threat Management Programs vs.
Workplace Violence Response Training
18.8.2 A Difference in Culture – Workplace Violence Awareness
Questions for Discussion
References
19: ESRM and Business Continuity and Crisis Management
19.1 How does Business Continuity and Crisis Management Fit in the ESRM Life Cycle?
19.2 Identifying and Prioritizing Assets and Risks in a Business Continuity and Crisis Management Program
19.3 Mitigating Prioritized Risks in a Business Continuity and Crisis Management Program
19.4 Incident Response in a Business Continuity and Crisis Management Program
19.5 Root Cause Analysis in a Business Continuity and Crisis Management Program
19.6 Ongoing Risk Assessment in a Business Continuity and Crisis Management Program
19.7 A Deeper Look at the Role of Business Continuity and Crisis Management in ESRM
19.7.1 A Difference in Authority – Getting Traction
19.7.2 A Difference in Transparency – Driving Acceptance Through Simplification
19.7.3 A Difference in Independence – Ensuring Participation Through an Overarching Program
19.7.4 A Difference in Scope – Leveraging Resources for Success
Questions for Discussion
References
Learn More About It
Part 6: ESRM Program Performance and Evaluation
20: ESRM for Business Executives and Boards of Directors
20.1 What do the executives need to know about ESRM?
20.1.1 Point 1 for Executives – Understand What ESRM is and the Value of Implementing ESRM Within the
Organization
20.1.2 Point 2 for Executives – Understand the Underlying Philosophy of ESRM and the Role of Security
20.1.3 Point 3 for Executives – Essential Requirements for Security Success To communicate the basics of the ESRM
philosophy, you will need to make sure your executives have a good understanding of the essential foundational
elements of a successful ESRM program, which are:
20.1.3.1 Transparency
20.1.3.2 Independence
20.1.3.3 Authority
20.1.3.4 Scope
20.1.4 Point 4 for Executives – Understand ESRM Parallels with Other Risk-Based Functions
20.1.5 Tailoring the Conversation
20.2 What is the Role of Executives in an ESRM Program?
20.2.1 The Executive Role of Ensuring a Definition of Security Success
20.2.2 The Executive Role of Ensuring the Correct Security Skillsets
20.2.3 The Executive Role of Ensuring the Essentials for Success are in Place
20.2.4 The Executive Role of Ensuring the Correct Reporting Structure
20.2.5 The Executive Role of Ensuring that the Board or Enterprise Ownership is Aware of the Role of Security and of
Security Risks as a Business-Critical Topic
20.3 What Should Executives and Boards of Directors Expect From ESRM?
20.3.1 Reporting and Metrics
20.3.2 Transparency of Risk
20.3.3 Communications, Notifications, and Awareness
Questions for Discussion
References
Learn More About It
21: Security Budgeting Process
21.1 How has Security Budgeting been Approached Before?
21.1.1 Fear, Uncertainty, Doubt – The FUD Factor
21.1.2 Making the Best of What You are Given, and the “Blame Game”
21.1.3 Return on Security Investment
21.1.3.1 Return on (Non-Security) Investment
21.1.3.2 Whose “Return” is It?
21.2 The ESRM Approach to Security Budgeting
21.2.1 Value Chain Theory
21.2.1.1 Increasing Value to your Primary Function Strategic Partners
21.2.1.2 Is Security a Support or Primary Activity?
21.3 Changing from a Traditional Security Budget to an ESRM Budget
21.3.1 Discover Existing Security Tasks and Activities
21.3.2 Personnel Discovery
21.3.3 Financial Discovery
21.3.4 Building the Unified Budget
21.4 Ongoing/Annual Budgeting
21.4.1 Budget Updates
21.4.2 Budget Decision Making and Risk Tolerance
21.5 Procurement Partnerships and the Role of Procurement in the Budget Process
Questions for Discussion
References
Learn More About It
22: Reporting and Metrics That Matter
22.1 Why are Security Metrics Important?
22.2 What is the Traditional View of Security Metrics Reporting?
22.3 What is the ESRM View of Security Metrics Reporting?
22.3.1 Metrics of Risk Tolerance
22.3.1.1 Metrics of Risk Tolerance for Security Disciplines
22.3.2 Metrics of Security Efficiency
22.3.3 Comparing ESRM and Traditional Security Reporting
22.4 Building Metrics Reports
22.4.1 Communicating to an Executive Audience
22.4.1.1 Planning a Security Report for Executives
22.4.1.2 Building a Security Report for Executives
22.4.2 Communicating to the Security Council Audience
22.4.2.1 Planning a Security Report for the Security Council
22.4.2.2 Building a Security Report for the Security Council
22.4.3 Communicating to a Strategic Partner Audience
22.4.3.1 Planning a Security Report for Strategic Partners
22.4.3.2 Building a Security Report for Strategic Partners
22.4.4 Communicating to Security Functional Leadership
22.4.4.1 Planning a Security Report for Security Management
22.4.4.2 Building a Security Report for Security Management
Questions for Discussion
Learn More About It
23: ESRM and the Path to Security Convergence
23.1 The Common View of Security Convergence
23.1.1 Technological Convergence
23.1.2 Organization Convergence
23.2 The ESRM View of Security Convergence
23.2.1 Convergence of Philosophy
23.3 Why ESRM Often Leads to Converged Organizations
23.3.1 Changed Understanding of Roles Leads to Changed Structures
23.3.2 Changed Understanding of Risks Leads to Changed Structures
23.3.3 Changed Understanding of Practices Leads to Changed Structures
23.3.4 The Convergence Decision
23.4 The Benefits of a Converged Organization in an ESRM Security Program
23.4.1 The Converged Security Team Aligns All Security with the Enterprise Business Mission
23.4.2 The Converged Security Team Helps Change the Perception of Security
23.4.3 A Converged Security Program Unifies Security Awareness Efforts
23.4.4 A Converged Security Program Reduces Employee Confusion
23.4.5 A Converged Security Program Promotes Efficiency of Security Operations
23.4.6 A Converged Security Program Optimizes the Risk Profile
23.5 The Challenges of Converging an Organization in an ESRM Security Program
23.5.1 The “Culture” Challenge
23.5.2 The “Control” Challenge
23.5.3 The “Different Tasks” Challenge
23.6 Executive Leadership of a Converged Organization in an ESRM Environment
23.6.1 CSO Requirements in a Converged ESRM Organization
23.7 If Your Enterprise Chooses to Converge
Questions for Discussion
References
Learn More About It
Credits
About the Authors