Just a decade ago, as security professionals, we could talk reasonably about physical security and logical security requiring different approaches. Five years ago, we might have found ourselves having conversations about the blurring lines between the two types of security discipline, and could have easily pointed to aspects of both physical and logical security that crossed over each other.
Today? In organizations that have embraced even the least cutting-edge aspects of operational and information technological advances (consumer IoT, industrial IoT, cloud hosted services, etc.), we can no longer rationally discuss a strictly “physical” or “logical” approach to managing security risks to the enterprise.
Quite simply, in a world where:
- Every camera and door lock in a facility has an individual IP address
- All security investigations must happen in the real and virtual worlds at the same time
- Even the most visibly “physical” of protective measures – security officers – are networked via trackers and devices to provide instant information and communication
… there are few, if any, areas left that do not require attention to a holistic and comprehensive view of all security disciplines at once.
What does this mean for the personnel and management teams that are tasked with providing security in this borderless environment? How do we, as practitioners who may have long histories in a single discipline, protect the organization in a security environment where the risks and mitigation tactics have converged, regardless of whether our organizational structures have evolved to match them?
The answer: Enterprise Security Risk Management (ESRM).
ESRM is a risk management model that allows all functional areas tasked with mitigating security risk to operate under a converged philosophy and approach to more efficiently and effectively mitigate security risk across the enterprise, regardless of the physical or logical nature of the asset, or the vector of the potential threat.
Recognizing the Role
ESRM allows security personnel to work together to effectively protect the enterprise from a broad spectrum of security risks by first recognizing that it is the role of the security organization, at root, to manage security risk in conjunction with the business, and to protect assets from harm in line with business tolerance.
The tasks we perform to mitigate risks might be different, but the process of identifying the assets to be protected, recognizing and prioritizing the risks to those assets, and then mitigating the assets to within acceptable levels of business tolerance, are the same. Take a look at the table below, excerpted from the forthcoming book, Enterprise Security Risk Management: Concepts and Applications (Allen & Loyear, 2017). It shows a quick side-by-side of the kinds of tasks that security groups do, and how they are essentially mitigation responses to the same security risks.
The overarching risks cannot be effectively mitigated by only a single tactical function. Working together, under a common risk management framework, all security personnel can more effectively protect the enterprise environment against security risk.
The Benefits of ESRM and Cross-Functional Risk Management Collaboration
Managing all security risks in partnership and under a common ESRM approach can bring the enterprise significant gains in efficiency and effectiveness, even with multiple groups participating in the security partnership. A few to note include:
- Unified security awareness messaging
- A partnership approach under an ESRM philosophy allows for the creation of a single, unified, security message that include all facets of security awareness.
- Single security point-of-contact
- When all security teams operate under the risk-management approach with the same defined processes, any security incident can be reported to a single point in the company and escalated and directed as needed to the appropriate response team.
- Operational efficiency
- Employees with different skill sets can more easily collaborate on incident response processes.
- Information sharing enables cross-department cooperation during security investigations that require both physical and logical forensics.
- Streamlined processes save hours and money, allowing diverse security risks to be managed by a single process.
- Consolidated metrics reporting to business management save time and effort.
- Optimized risk profile
- All security risks are identified and managed in an overarching program, making the risk identification and mitigation process more robust and decreasing the potential of overlooked risk.
How Do We Get There?
So, how do we get to the point of converging under a common philosophy, regardless of reporting lines and department structures?
All leaders in the organization with any security responsibilities can align with a risk-management approach by asking themselves:
- Does my team have clear risk management goals aligned with business risk tolerance?
- Does my team work with other department stakeholders in the risk decision-making process?
- Do the members of my team work together with other security teams in situations that cross boundaries of scope?
- Am I communicating to all areas of the business that my role, and the role of all other security teams, is to manage security risks holistically?
When all the security functions in the enterprise choose to embrace a risk management – ESRM – approach, the outcome is that:
- All security teams follow a formal and consistent process for security risk decision-making.
- All security teams follow the same incident response approach, including postmortem investigations and root cause analysis to continually improve the security risk situation of the enterprise.
- All security teams work in partnership with one another, ensuring open communications and collaboration across department lines.
- All security teams have the transparency, independence, authority and scope needed to do their work in the right way.
- All security risks, no matter which team mitigates the risks, are considered part of the holistic security risk management program.
- All security teams, no matter who they report to, understand that security risk management is everyone’s role.
Rachelle Loyear, CISM, MBCP, AFBCI, PMP, Partner, Security Risk Governance Group
[ISACA Now Blog]