Hi folks, my name is Tim McCreight and I’m a new member of the Risk, Security & Privacy practice here at Online. I wanted to take this opportunity to introduce myself to a new audience and write about one of my favourite topics in the security industry – Risk!
I’ve been in the security industry for over 35 years now, and I continue to enjoy the experience! I’ve seen so many changes – from mainframe computing systems to iPhones, and everything in between. The pace of change has increased so dramatically that we’re sometimes numb to the technical advances – and the risks that come with these changes.
For me, that’s key – understanding risk facing our three primary Assets: People, Property, and Information. Our goal as security professionals is to be a Trusted Advisor to our clients and help them understand the risks facing the company and the strategies we can help put into place to reduce these risks.
That’s the foundation of Enterprise Security Risk Management, or ESRM. The terminology is new, but the underpinning philosophy has been around for a long time. The approach starts and ends with business leaders and executives because they’re the folks who have accountability for creating the organization’s strategies for success, and who ultimately have to accept or reject risks that could impact those objectives.
Here’s a quick description of the process surrounding ESRM, at least from my perspective:
As a security professional building a security program, my first task is to really understand my business. I need to review our strategic objectives, understand who the key stakeholders are in my company, and speak to business leaders about their role in the company, and what they need to be successful. When I know this information, I can move to the next step.
Now I get a chance to link the Assets I’m trying to protect, to the goals and objectives of the company. I can start answering the question of “what my company needs to be successful” and find out the Assets that support this goal. I also have to identify who “owns” an Asset, and who is the custodian of that Asset.
The most interesting phase is next – assessing Risks to the Assets. This includes spending time conducting business and technical risk assessments, with the goal of trying to determine “the effect of uncertainty on objectives”. I’ve done this using workshop sessions, Excel spreadsheets, cocktail napkins, and many ‘what if’ discussions.
Now that I’ve lined up a number of Risks to our Assets, the next step is to spend time reviewing Mitigation Strategies. The time spent with the business owners and custodians in the first two steps is extremely beneficial to this process. I’ve found folks, even non-security ones, can be very creative when it comes to reducing Risks! The goal is to document these Strategies and to prepare to present them to the business leaders or executives.
There’s a reason why ESRM focuses on this part of the framework – it brings the work around full circle, and places the decision making in the most appropriate place - the executives of the organization, the same team that created the overall goals and objectives of the company.
Far too often in my career I’ve seen security professionals simply accept these risks on behalf of the organization. That’s not our role, and it never should be. Our role is to be a Trusted Advisor, to provide our expertise in identifying risks and developing mitigation strategies. We’re also the ones who will help implement these strategies once they’re approved, with help from different teams across the company. If you left the decision to accept risk with security professionals, we probably would still be on mainframe computers… at least, that would have been my vote!
I’m curious to hear your comments on this approach. If you’d like to chat more about this, let me know! I can be reached at: firstname.lastname@example.org. You can learn more about Online's Risk, Security and Privacy practice by visiting our website or reading our collection of blogs.
Thanks so much for your time!