Task 1 -- Enterprise Security Risk Management (ESRM) Flashcards
What is ESRM?
What is ESRM?
ESRM is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles.
ESRM is essentially a management process or system. ESRM is not a program or an element of an existing security program. In fact, ESRM replaces the security program methodology for managing security.
ESRM connects all key elements of security risk with the organizations’ assets, informing decision making by asset owners. ESRM is scalable and dynamic, suitable for adoption by private or public sector organizations of any size or scope.
How is ESRM Different
ESRM differs from traditional program-based security management in several ways. ESRM is not built around a security program with numerous sub-programs. ESRM addresses all security risks to an organization’s assets, identifying and prioritizing them and developing specific mitigation steps. The objective is effective mitigation, not a program to address a specific threat or issue. ESRM does not attempt to assign a risk to a specific program. In ESRM, the security professional transitions from managing a security function (delegated role) to a trusted advisor and partner with asset owners. In this transition, the security professional leaves the role as a task manager executing specific steps for security services and becomes a strategic resource for the organization, adopting a more holistic view of risk.
In ESRM, asset owners’ own decisions for the risk to the assets they manage. Those decisions are made with the input and guidance from the security professional. As partners, they identify risks, prioritize those risks, and establish mitigation steps/methods. The asset owners are responsible for decisions regarding security risk just as they are responsible and direct actions for other risks to their assets.
Through ESRM, security professionals support the organization’s mission and strategic plans using proactive management and communication of security risks to senior management and asset owners. This better enables senior management to account for risk in managing the organization’s priorities.
How to Adopt ESRM
How to Adopt ESRM
ESRM has three primary components:
1. The context of ESRM, which includes organizational aspects that security professionals must understand to successfully adopt ESRM
2. The ESRM cycle, which is ESRM’s actual process of security risk management that emphasizes the importance of understanding assets
3. The foundation of ESRM, which includes organizational concepts that support the ESRM approach and maximize its impact
The Context of ESRM
The Context of ESRM
For security professionals to effectively mitigate threats to their organizations, it is critical to not only understand the various threats that may impact the organization, but to also understand the organization itself.
The organization is the environment in which assets and risks live. The nature of risks and incidents can be significantly different from one organization to the next. For these reasons, understanding the organization is an initial step in ESRM and is at least as important as understanding the threats that the organization faces.
Before moving forward with transitioning to or fully implementing ESRM, it is essential for security professionals to understand the following aspects of the organization:
Mission and Vision
+ To identify risks that could undermine the organization’s strategy, security professionals must thoroughly understand it—especially its mission and vision. The more security professionals know about their organizations, the more effective they are at supporting their missions and visions.
Core Values
+ An organization’s core values frequently go beyond making a profit and increasing shareholder value. Core values may include things like environmental stewardship, the community, employee safety and security, product quality, brand and image protection, and new product development to name just a few. Core values often define the organization’s culture. Understanding value and culture is important because working in a corporate culture that does not support security will make it more difficult to introduce and implement ESRM.
Operating Environment
+ To assess risk and build relationships, security professionals need to understand the operating environment in which the organization functions. This environment includes physical, nonphysical, and logical environments. The physical environment includes much of what influences traditional security factors.
Stakeholders
+ Anyone who directly interfaces with the organization may be considered a potential stakeholder. Stakeholders may impact and/or be impacted by the organization, its assets, or its personnel. Security professionals should know stakeholders of the organization and understand what is important to those stakeholders. Knowing what is important to stakeholders enables the security professional to better advise and consult with stakeholders and assist them in formulating mitigation strategies for security and related risk.
Stakeholder support is critical to the successful adoption of ESRM. It is important to identify them, engage them, understand what is important to them, and align with their priorities. Once security professionals understand the priorities of the organization’s stakeholders, they can better support them in achieving their objectives. Creating supportive relationships is critical in an ESRM environment.
Note that understanding stakeholders does not necessarily mean harmonizing their interests—rather, it means understanding their needs and their risk insights to better facilitate the ESRM process.
The ESRM Cycle
The ESRM Cycle
The ESRM Cycle is the part of the ESRM approach that describes how security risks are to be mitigated. This cycle is similar to other processes available in the security industry. The most defining characteristic is its emphasis on understanding organizational assets and involving asset owners in the risk management process.
The ESRM Cycle includes four processes:
Identify and Prioritize Assets
+ The first process in the ESRM Cycle is to identify and prioritize assets. Asset prioritization is based on each asset’s criticality to the organization’s mission and overall strategy. Asset prioritization is based in part on guidance from top management and input from asset owners and other stakeholders. The resulting prioritized lists of assets is the basis for the remainder of the ESRM Cycle.
Note that ESRM considers all types of assets—physical, information, cyber, personnel, etc.—without segmenting security disciplines or operating within silos. Whatever is in scope for the security professional is also in scope for ESRM.
Identify and Prioritize Risks
+ The next process in the ESRM Cycle is to identify and prioritize risks. Risk prioritization is based on each risk’s potential to undermine the organization’s ability to execute its mission and overall strategy. Like asset prioritization, risk prioritization is based in part on guidance from top management and input from other stakeholders. The resulting prioritized lists of risks, along with the prioritized list of assets, form a set of strategic priorities that cascade throughout the entire ESRM cycle and help guide asset owner decisions.
Mitigate Prioritized Risks
+ The next process in the ESRM Cycle is to mitigate the prioritized risks. Risks are mitigated in order of priority, using security controls recommended by the security professional and approved by the asset owner. Asset owners make the decisions with guidance from the security professional. The security professional then documents the prioritized assets and risks and the asset owners’ decisions about them, perhaps in a security risk management plan. That plan is executed by the security professional.
Continuous Improvement
+ The final process of the ESRM Cycle is continuous improvement, which spans the entire ESRM Cycle. Continuous improvement of the security program occurs because of ESRM outcomes such as improved communication, greater visibility into security risks, and effective risk prioritization and mitigation.
Various security functions naturally contribute to the continuous improvement of security through mechanisms such as lessons learned and feedback loops. Security functions that commonly contribute to security program improvement include incident response, investigations and analysis, and information sharing.
The Foundation of ESRM
The Foundation of ESRM
Security professionals with a thorough understanding of the organizations they are protecting are well-positioned to successfully adopt and implement ESRM within their organizations. To ensure sustained longevity and success, there are four other critical concepts that comprise the Foundation of ESRM:
Holistic Risk Management
+ The term “holistic” refers to an inclusive, all-encompassing, or complete approach. The concept of holistic risk management has two relevant meanings from the perspective of ESRM.
ESRM advocates that all stakeholders participate in the risk management process. All stakeholders have a role, a vested interest, and a benefit from the organization’s effective management of security risk. This is especially true for asset owners and top management—these two sets of stakeholders are encouraged to be particularly active participants in an ESRM environment.
ESRM considers and accounts for all types of security risk without qualifiers or silos such as physical, cyber, information, or personnel security risk. Whatever is in the scope of responsibility for a security function is in scope for ESRM. That could be one, some, or all of these disciplines depending on the organization. Regardless of the scope of the security function, the more ESRM touches, the more it can positively impact.
Partner with Stakeholders
+ ESRM encourages security professionals to identify, engage, and align with stakeholders in the security program and the organization. Security professionals in an ESRM environment should provide guidance instead of instruction. They should support decisions about assets instead of making decisions themselves. They should base their discussions in measured risk rather than fear, uncertainty, or doubt.
Transparency
+ The term transparency refers to a clear, open, and honest approach. Increased transparency typically improves corporate culture and personnel morale, helping stakeholders feel like partners in the given process. Because partnership and stakeholder relationships are such critical components of ESRM, transparency will help ensure that these relationships and the ESRM strategy itself are successful.
Two types of transparency are particularly relevant from the perspective of ESRM.
Risk transparency. Security professionals should represent risks based on their understanding and expertise in a clear, open, and honest way. Risks should be represented exactly as they are, not exaggerated nor minimized. To ensure this, security professionals are encouraged to use objective statements, quantitative analysis, and quantifiable metrics as much as possible. This supports the role of the asset owner as the risk owner and enables informed, accurate decision making on the part of asset owners.
Process transparency. Security professionals should ensure that asset owners and stakeholders understand the organization’s security risk management process and each step of that process as security professionals guide them through it. In most organizations, there is no value in keeping this process confidential. In fact, sharing openly about the value of the process and each step as it is performed typically increases engagement and buy-in among stakeholders. Security professionals tend to relieve a defensive, cautious, or anxious posture among stakeholders by being transparent about what they are doing and why.
Governance
–
Governance refers to the rules and processes by which a function or organization is governed. Governance helps to effectively manage expectations and improves clarity and consistency. Governance also ensures that efforts across the organization ultimately satisfy the needs of the organization.
Two types of governance are particularly relevant from the perspective of ESRM.
Organizational governance. This is the system by which an organization is directed and controlled. Organizational governance typically addresses the role of top executives and the board of directors, the need for audit and oversight, the rights and responsibilities of stakeholders, and procedures for decision making. It is important for security professionals to understand how organizational governance is established and maintained, in part because ESRM governance should align with it.
ESRM governance. This is the process of setting enterprise security risk policy and direction, allocating resources, and ensuring compliance. ESRM governance is a subset of corporate governance and is modeled after organizational governance. ESRM governance is carried out by the organization’s security governance body (e.g., committee, council, or other governance group). ESRM governance body members should mostly be security risk stakeholders, not security professionals.
