The Manager's Guide to Enterprise Security Risk Management
eBook - ePub

The Manager's Guide to Enterprise Security Risk Management

Essentials of Risk-Based Security

  1. 114 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

The Manager's Guide to Enterprise Security Risk Management

Essentials of Risk-Based Security

About this book

Is security management changing so fast that you can't keep up? Perhaps it seems like those traditional "best practices" in security no longer work? One answer might be that you need better best practices! In their new book, The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, two experienced professionals introduce ESRM. Their practical, organization-wide, integrated approach redefines the securing of an organization's people and assets from being task-based to being risk-based.

In their careers, the authors, Brian Allen and Rachelle Loyear, have been instrumental in successfully reorganizing the way security is handled in major corporations. In this ground-breaking book, the authors begin by defining Enterprise Security Risk Management (ESRM):

"Enterprise security risk management is the application of fundamental risk principles to manage all security risks ? whether information, cyber, physical security, asset management, or business continuity ? in a comprehensive, holistic, all-encompassing approach."

In the face of a continually evolving and increasingly risky global security landscape, this book takes you through the steps of putting ESRM into practice enterprise-wide, and helps you to:

  • Differentiate between traditional, task-based management and strategic, risk-based management.
  • See how adopting ESRM can lead to a more successful security program overall and enhance your own career..
  • Prepare your security organization to adopt an ESRM methodology..
  • Analyze and communicate risks and their root causes to all appropriate parties..
  • Identify what elements are necessary for long-term success of your ESRM program..
  • Ensure the proper governance of the security function in your enterprise..
  • Explain the value of security and ESRM to executives using useful metrics and reports..

Throughout the book, the authors provide a wealth of real-world case studies from a wide range of businesses and industries to help you overcome any blocks to acceptance as you design and roll out a new ESRM-based security program for your own workplace.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access The Manager's Guide to Enterprise Security Risk Management by Brian J. Allen, Rachelle Loyear, Kristen Noakes-Fry in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Rothstein Publishing
Year
2016
eBook ISBN
9781944480240
Topic
Business
Subtopic
Insurance
Index
Business

Part 1


What Is Enterprise Security Risk Management (ESRM)
and How Can It Help You?

This part will help you to:
  • Understand what is meant by Enterprise Security Risk Management.
  • Explain the difference between traditional, task-based management and strategic, risk-based management.
  • Understand and overcome some of the blocks to effective relationships with enterprise leaders.
  • See how adopting ESRM can lead to a more successful security program overall and enhance your own career.

1


What is Enterprise Security Risk Management (ESRM)?

As a security practitioner, you know the world is a risky place, and you know it’s becoming more risk filled all the time. Hardly a day goes by without headlines about a workplace shooting, a data breach, a cyber-attack, or some other security failure that has exposed an enterprise and its assets -human, physical, and intangible - to some kind of serious risk. Whatever your security role, and no matter how far along you are in your security career, it’s your responsibility to protect your enterprise, and its assets, against these high-profile threats, and many others that are only beginning to emerge and be recognized. These changes in the security risk environment, and the urgent changes they require in your work as a security practitioner, are the reason we wrote this book.
This book is about an approach to security that’s new and yet familiar, radical and yet practical: enterprise security risk management (ESRM).

1.1 ESRM Defined

We’ll be discussing the meaning and implications of ESRM in depth throughout this book, but let’s begin at the beginning, with a simple, straightforward definition of the term:
Enterprise security risk management is the application of fundamental risk principles to manage all security risks - whether information, cyber, physical security, asset management, or business continuity - in a comprehensive, holistic, all-encompassing approach.
To break that down further, we can look at the individual parts of the definition.

1.1.1 Enterprise

An enterprise is a business or company.
This can be a:
  • Public, state or government run organization.
  • A privately held, family company.
  • A not-for-profit organization providing goods, services, or other non-profit activities.
  • A stockholder controlled corporation.
  • Any other organization that exists to fulfill a purpose defined by that organization.
When we reference business, organization, company, or any similar term in this book, we are referring to any or all of the above - an enterprise.

1.1.2 Security Risk

Security risk is anything that threatens harm to the enterprise, its mission, its employees, customers, or partners, its operations, its reputation.
That can mean:
  • A troubled employee with a gun.
  • An approaching hurricane.
  • A computer hacker in another country.
  • A dissatisfied customer with a social media account and too much time on his or her hands.
  • And, of course, many more.
Security risks take many different forms, and new ones are being introduced all the time. Recognizing those risks, making them known to the enterprise, and helping your internal functional business partners mitigate them is central to the ESRM philosophy.

1.1.3 Risk Principles

The definition of ESRM states that risks are managed through fundamental risk principles. Here, we’ll reference an already existing body of knowledge on how to manage all types of risk, and apply it specifically to the security function. There are well-established, fundamental risk principles -principles that have been tested and found effective over many years, in many different enterprises, and in many different industries - that can be used to manage risks of all types.
The International Organization for Standardization, in standard ISO 31000:2009 - Risk management - Principles and guidelines, and the American National Standards Institute, in their standard document ANSI/ASIS/RIMS RA.1-2015 - Risk Assessment, both outline similar, highly effective, standards for risk management. A few examples of key principles from the ISO standard 31000 (2009) are that risk management should:
  • Be part of the decision-making process.
  • Be transparent and inclusive.
  • Be dynamic, iterative, and responsive to change.
  • Be capable of continual improvement and enhancement.
Again, these are just a few snippets from the standard. The entire standard is voluminous and comprehensive and we’ll describe more from this risk standard and others in the course of this book to give you a road map showing how to use these fundamental principles of risk management and apply them to the security risks you are responsible for managing.

1.2 How is ESRM Different from Traditional Security?

The description of ESRM above may sound somewhat like what you and your security organization are already doing - and the fact is, you probably are already doing some parts of it.
So let’s take a look at what makes ESRM such a radical departure from traditional, “conventional” security. To do that, we need a baseline understanding of what traditional security is - and what it is not.
These days, security practitioners are often too busy dealing with threats and vulnerabilities and other urgent operational problems to ask themselves basic questions about what they do and why they do it.
Questions like:
  • What is my role in the business environment, beyond the specific security tasks I’ve been assigned?
  • Why are the tasks I do every day necessary for the enterprise?
  • How is what I do perceived in the organization?
  • What is the mission my department is chartered to accomplish?
That’s a serious problem, because in security, as in every other business discipline, if you aren’t sure what you’re trying to accomplish - why you’re doing what you’re doing - you can’t be sure you’re doing it right. And, just as important, you can’t be sure that you’re being recognized by the management in your organization as doing it right.

1.2.1 Traditional Corporate Security Scenarios: Something is Missing

One thing we’ve learned in our years as security professionals is that there are a lot of different ways to “do security.” Some are good, some are bad, most are a bit of both - and all can teach us something about how to do things better. We’ve talked to a lot of security managers and practitioners in our time, at conferences, seminars, and other industry events, and we’ve learned about a lot of different approaches to security. Here are just a few things we’ve heard about:
  • Security programs that seem to work successfully in their business environments, even though they’re run largely on instinct or experience rather than as formalized processes that could be extended into new areas.
  • Security practitioners who feel like outsiders in the enterprise, because they’re only called in when they’re “needed” - when something’s gone wrong - not before.
  • Security managers who spend all their time performing tactical functions - responding to incidents, implementing password controls, installing and monitoring video or access systems - instead of developing strategies.
  • Security programs that fail because they don’t have the participation and support that they need from the rest of the enterprise.
  • Security managers who are “blindsided” by security problems they weren’t even aware existed - but are still expected to take the blame for.
There’s a lot wrong here, and we’ll be talking throughout this book about exactly what makes these things wrong and what you, as the security practitioner, can do about it. But for now, we’d like to talk about one key component that’s missing from all these scenarios: consistency. In ESRM terms, consistency has two fundamental meanings:
  1. Consistency in applying a security risk management philosophy to every part of the security function and to the thought processes applied to all security decision-making.
  2. Consistency in how security roles and responsibilities are communicated to, and understood by, the internal strategic partners who are so critical to the success of an ESRM program.
Bringing consistency to your security program is essential to ensuring that all your stakeholders across the enterprise understand exactly what to expect from you as a security professional and from your security program, recognize and appreciate security’s roles in the enterprise and its business value, and rely on you and your team to perform your roles as trusted business partners.
Consistency is driven by:
  • Following known, documented, well communicated, practices.
  • Remembering the proper steps of all security activities and processes.
  • Always understanding the true role of the security professional as manager of security risk.
  • Incorporating that understanding and philosophy into your everyday thought processes as the security manager.
Consistency in your security program offers many benefits, but none is more important than earning the trust of the business. When your strategic partners in the enterprise can see that you perform all your security work in a consistent manner and treat al...

Table of contents

  1. Cover
  2. Title page
  3. Copyright
  4. Part 1
  5. Chapter 1: What is Enterprise Security Risk Management (ESRM)?
  6. Chapter 2: Why Does the Security Industry Need ESRM?
  7. Part 2
  8. Chapter 3: Preparing to Implement an ESRM Program
  9. Chapter 4: Following the ESRM Life Cycle
  10. Chapter 5: Phased Rollout
  11. Part 3
  12. Chapter 6: Essentials for Success
  13. Chapter 7: ESRM Governance, Metrics, and Reporting
  14. Chapter 8: Where Should Security Report in an Organization Structure?
  15. Chapter 9: What Do Executives Need to Know About ESRM?
  16. Chapter 10: Reports and Metrics
  17. References
  18. Credits
  19. About the Authors
  20. More from Publisher