RiskUKJune2017

More documents

Recommendations

Info

‘Learning The Business’: ESRM for Practising Security Professionals Last November, ASIS International – the largest global organisation for security management professionals with 242 chapters and 35,000 members worldwide – pinpointed Enterprise Security Risk Management as a global strategic priority for the organisation. Godfried Hendriks examines the philosophy and the management system underpinning this train of thought 24 www.risk-uk.com ASIS International’s involvement in Enterprise Security Risk Management (ESRM) can be traced back to 2005 with the creation of the Alliance for Enterprise Security Risk Management (AESRM) in tandem with the Information Systems Audit and Control Association (ISACA) and the Information Systems Security Association (ISSA). The AESRM was specifically designed to bring both Board and executive level attention to critical security-related issues and the need for a comprehensive approach to protect the enterprise. Subsequently, the AESRM produced several White Papers and other helpful documents, while ASIS has since covered ESRM in scores of articles, seminar sessions, presentations and courses. That said, the topic was never treated as a strategic priority for the organisation until last November. Both a philosophy and a management system, ESRM uses globally established risk management principles to help security professionals manage the varied security risks facing their organisations. By making ESRM a strategic objective, ASIS International is looking to shift the profession from a siloed approach for security management towards a more collaborative process. David Davis CPP, the president of ASIS in 2016 and this year’s chairman of the Board, has stated: “Today’s threats are increasingly more sophisticated, targeting organisations in myriad ways. Also, the rapidly evolving business and compliance landscape requires a somewhat more holistic and strategic approach towards managing organisational risk. As the only global professional association representing the spectrum of security, ASIS International is uniquely positioned to lead this effort.” ESRM covers not only traditional security issues such as loss prevention and terrorism, but also a broad array of topics (among them brand protection, business continuity, corporate espionage, cyber security, information security, resilience and white collar crime). It requires practitioners to continuously assess the full scope of security risks posed to their organisation, as well as within the enterprise’s complete portfolio of assets. The end goal is to effectively and efficiently manage the protection of an organisation’s enterprise-wide assets, thereby enabling the business to advance its mission with strong purpose. Another principle of ESRM is the focus on the business, its goals and objectives and the relationships security professionals must establish to successfully integrate ESRM within their organisations. Working through the phases of an ESRM programme requires greater collaboration across an organisation. The process also relies on the security professional ‘learning their business’ and understanding the many different types of assets an organisation has within its span of control. By embracing an ESRM mindset, security and risk managers will become more effective professionals and, indeed, more valuable members of their host organisations. ESRM Commission To lead the initiative, the Board of Directors at ASIS International established a two-year ESRM Commission headed by Dave Tyson CPP, president of ASIS International in 2015 and founder of CISO Insights. Tyson has reiterated that, while ASIS has been involved in ESRM for several years, it has never committed to driving the approach in this manner or emphasising its vital importance to the work ASIS’ myriad members transact on a daily basis. Tyson explained: “The ESRM Commission will develop a framework to integrate ESRM into all ASIS education, White Papers, research and other professional offerings. We believe the end result will be a more empowered membership,
Enterprise Security Risk Management safer enterprises, a more strategic approach towards risk and a far more cost-effective security function.” Serving alongside Tyson on the Commission are Brian Allen CPP, Raymond O’Hara CPP (executive vice-president at AS Solutions), John Turey CPP (senior director at TE Connectivity), John Petruzzi Junior CPP (vicepresident of integrated security solutions at G4S in North America) and Volker Wagner (senior vice-president for Deutsche Telekom). The Commission quickly received substantial input and feedback and is already laying out its strategy. One of its first steps was to create a dedicated committee focused on research. This team has begun work on a maturity model which will help security professionals evaluate their programmes on the ESRM spectrum. The maturity model adapts the Capability Maturity Model Integration process, identifying five levels of ESRM maturity within a given organisation. Security professionals will be able to ask a series of questions regarding ESRM principles and practices and then rate their responses. These ratings are key when it comes to documenting the present state of ESRM within an organisation, and offer insight into activities that security professionals can observe in a bid to improve the state of ESRM. The Research Committee is working to develop the first set of ESRM tools before ASIS International’s Annual Seminar and Exhibits, which takes place between 25-28 September in Dallas. The timeline is what might be termed ‘aggressive’, but the Commission believes developing this type of material for the annual seminar is vitally important for members. The working team progressing this material includes Rachelle Loyear and Tim McCreight CPP (director of strategic alliances at Above Security – A Hitachi Group Company), who’s a member of ASIS International’s Board of Directors. The small working team will be augmented by additional members as the workload increases with time. Strategic mindset Future projects will focus on creating material that security professionals can use in their organisations to develop a more strategic mindset for identifying and assessing risks right across the enterprise. This material will link to the education and awareness activities already underway. ASIS International has begun infusing ESRM into its programmes. Back in March, ASIS held ‘ASIS Europe 2017 – From Risk to Resilience’ in Milan. ‘Securing Today’s Connected Enterprise’ was the event’s theme and the two-day “Working through the phases of an Enterprise Security Risk Management programme requires greater collaboration across an organisation. The process also relies on the security professional ‘learning their business’” programme brought together CSOs, CISOs and their team members to assess and address complex cyber-physical risks. No less than 700 registrants from 48 countries made for an impressive crowd of both established and aspiring security leaders with many global enterprises represented. Axel Petri (senior vice-president of group security governance at Deutsche Telekom), who gave a detailed presentation at ASIS Europe 2017, noted: “With the boundaries between the physical and the virtual worlds now rapidly disappearing, how threats are labelled is no longer relevant (if it was relevant at all). You just need to know how to stop them.” Discussions on cyber-physical risks drew attention to the need for ESRM’s holistic approach. As Eduard Emde CPP (who has been named conference chairman for ASIS Europe 2018, which runs in The Hague from 18-20 April) duly reflected in the closing session: “We find ourselves faced with questions of ownership, responsibility and liability. While much debate has centred on technology risk, we’ve also been reminded that we cannot forget much more familiar foes. We were reminded how much risk stems from the human factor, whether through ignorance or by malicious intent.” Additional ESRM-related work by ASIS International includes offering nearly half a dozen ESRM sessions as part of the education line-up at the aforementioned ASIS International 63rd Annual Seminar and Exhibits. The first session, entitled ‘IT Security for Physical Security Professionals in Plain English’, will be delivered by members of the ESRM Commission as a pre-seminar session. It’s designed to enable non-IT security professionals to understand the challenges and language of IT security and then be able to go back to their organisations with the confidence needed to understand information security issues and threats and apply their learning. There have also been multiple articles in the ASIS journal Security Management, including the December 2016 front cover story ‘Metrics and the Maturity Mindset’, in addition to several well-attended webinars to help explain the concepts and lay the foundations for the work to come. Aside from this, the White Paper ‘ESRM: An Holistic Approach to Security’ is the very heart of the Society’s ESRM initiative. Godfried Hendriks BSc MBA CPP RSE: Global Management and Security Consultant and a Member of ASIS International’s Global Board of Directors 25 www.risk-uk.com
Page 1 and 2: June 2017 www.risk-uk.com Security
Page 3 and 4: June 2017 Contents 48 Contractor Sc
Page 5 and 6: Texecom Connect App New smartphone
Page 7 and 8: News Update Organisations worldwide
Page 9 and 10: News Analysis: WannaCry Ransomware
Page 11 and 12: News Special: Cortech Open Innovati
Page 13 and 14: Opinion: Closing the UK’s Technol
Page 15 and 16: INSPIRATION THROUGH INVALUABLE DIGI
Page 17 and 18: Opinion: Security’s VERTEX Voice
Page 19 and 20: BSIA Briefing IFSEC International 2
Page 21 and 22: Specialist Security Products for Pr
Page 23: Security Design in the Built Enviro
Page 27 and 28: Security Regimes for Corporate Data
Page 29: “ MY PASSION IS MAKING SURE EVERY
Page 32 and 33: IFSEC and FIREX International 2017:
Page 42 and 43: Advertisement Feature Converged Sec
Page 44 and 45: Advertisement Feature Mitigating Th
Page 46 and 47: Despite the growing need for smarte
Page 48 and 49: Contractor Screening Procedures: Er
Page 50 and 51: 16 - 17 October Whittlebury Hall Ho
Page 52 and 53: The Changing Face of Security Servi
Page 54 and 55: The Changing Face of Security Servi
Page 56: The Changing Face of Security Servi
Page 59 and 60: Access Control: Electronic and Phys
Page 61 and 62: Evaluating Fire Safety Standards eq
Page 63 and 64: Building Regulations Approved Docum
Page 65 and 66: The Security Institute’s View pen
Page 67 and 68: In the Spotlight: ASIS Internationa
Page 69 and 70: FIA Technical Briefing: Formal Qual
Page 71 and 72: Security Services: Best Practice Ca
Page 73 and 74: Machine Learning: A New Layer of Cy
Page 75 and 76:
Training and Career Development unb
Page 77 and 78:
Risk in Action Evolution determines
Page 79 and 80:
Technology in Focus Axis Communicat
Page 81 and 82:
Appointments Bob Forsyth After 30 y
Page 83 and 84:
20 - 22 JUNE 2017 EXCEL LONDON, UK
Page 85 and 86:
CCTV CONTROL ROOM & MONITORING SERV
Page 87 and 88:
SECURITY ANTI-CLIMB SOLUTIONS & SEC
show all

RiskUKJune2017

Create successful ePaper yourself

Delete template?

Save as template?