RiskUKJune2017
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Enterprise Security Risk Management<br />
safer enterprises, a more strategic approach<br />
towards risk and a far more cost-effective<br />
security function.”<br />
Serving alongside Tyson on the Commission<br />
are Brian Allen CPP, Raymond O’Hara CPP<br />
(executive vice-president at AS Solutions),<br />
John Turey CPP (senior director at TE<br />
Connectivity), John Petruzzi Junior CPP (vicepresident<br />
of integrated security solutions at<br />
G4S in North America) and Volker Wagner<br />
(senior vice-president for Deutsche Telekom).<br />
The Commission quickly received substantial<br />
input and feedback and is already laying out its<br />
strategy. One of its first steps was to create a<br />
dedicated committee focused on research. This<br />
team has begun work on a maturity model<br />
which will help security professionals evaluate<br />
their programmes on the ESRM spectrum.<br />
The maturity model adapts the Capability<br />
Maturity Model Integration process, identifying<br />
five levels of ESRM maturity within a given<br />
organisation. Security professionals will be able<br />
to ask a series of questions regarding ESRM<br />
principles and practices and then rate their<br />
responses. These ratings are key when it comes<br />
to documenting the present state of ESRM<br />
within an organisation, and offer insight into<br />
activities that security professionals can<br />
observe in a bid to improve the state of ESRM.<br />
The Research Committee is working to<br />
develop the first set of ESRM tools before ASIS<br />
International’s Annual Seminar and Exhibits,<br />
which takes place between 25-28 September in<br />
Dallas. The timeline is what might be termed<br />
‘aggressive’, but the Commission believes<br />
developing this type of material for the annual<br />
seminar is vitally important for members.<br />
The working team progressing this material<br />
includes Rachelle Loyear and Tim McCreight<br />
CPP (director of strategic alliances at Above<br />
Security – A Hitachi Group Company), who’s a<br />
member of ASIS International’s Board of<br />
Directors. The small working team will be<br />
augmented by additional members as the<br />
workload increases with time.<br />
Strategic mindset<br />
Future projects will focus on creating material<br />
that security professionals can use in their<br />
organisations to develop a more strategic<br />
mindset for identifying and assessing risks<br />
right across the enterprise. This material will<br />
link to the education and awareness activities<br />
already underway.<br />
ASIS International has begun infusing ESRM<br />
into its programmes. Back in March, ASIS held<br />
‘ASIS Europe 2017 – From Risk to Resilience’ in<br />
Milan. ‘Securing Today’s Connected Enterprise’<br />
was the event’s theme and the two-day<br />
“Working through the phases of an Enterprise Security Risk<br />
Management programme requires greater collaboration<br />
across an organisation. The process also relies on the<br />
security professional ‘learning their business’”<br />
programme brought together CSOs, CISOs and<br />
their team members to assess and address<br />
complex cyber-physical risks. No less than 700<br />
registrants from 48 countries made for an<br />
impressive crowd of both established and<br />
aspiring security leaders with many global<br />
enterprises represented.<br />
Axel Petri (senior vice-president of group<br />
security governance at Deutsche Telekom), who<br />
gave a detailed presentation at ASIS Europe<br />
2017, noted: “With the boundaries between the<br />
physical and the virtual worlds now rapidly<br />
disappearing, how threats are labelled is no<br />
longer relevant (if it was relevant at all). You<br />
just need to know how to stop them.”<br />
Discussions on cyber-physical risks drew<br />
attention to the need for ESRM’s holistic<br />
approach. As Eduard Emde CPP (who has been<br />
named conference chairman for ASIS Europe<br />
2018, which runs in The Hague from 18-20 April)<br />
duly reflected in the closing session: “We find<br />
ourselves faced with questions of ownership,<br />
responsibility and liability. While much debate<br />
has centred on technology risk, we’ve also been<br />
reminded that we cannot forget much more<br />
familiar foes. We were reminded how much risk<br />
stems from the human factor, whether through<br />
ignorance or by malicious intent.”<br />
Additional ESRM-related work by ASIS<br />
International includes offering nearly half a<br />
dozen ESRM sessions as part of the education<br />
line-up at the aforementioned ASIS<br />
International 63rd Annual Seminar and Exhibits.<br />
The first session, entitled ‘IT Security for<br />
Physical Security Professionals in Plain<br />
English’, will be delivered by members of the<br />
ESRM Commission as a pre-seminar session.<br />
It’s designed to enable non-IT security<br />
professionals to understand the challenges and<br />
language of IT security and then be able to go<br />
back to their organisations with the confidence<br />
needed to understand information security<br />
issues and threats and apply their learning.<br />
There have also been multiple articles in the<br />
ASIS journal Security Management, including<br />
the December 2016 front cover story ‘Metrics<br />
and the Maturity Mindset’, in addition to<br />
several well-attended webinars to help explain<br />
the concepts and lay the foundations for the<br />
work to come. Aside from this, the White Paper<br />
‘ESRM: An Holistic Approach to Security’ is the<br />
very heart of the Society’s ESRM initiative.<br />
Godfried Hendriks BSc MBA<br />
CPP RSE: Global Management<br />
and Security Consultant and a<br />
Member of ASIS<br />
International’s Global Board of<br />
Directors<br />
25<br />
www.risk-uk.com