enterprise-security-risk-management-concepts-applications-esrm-book-rothstein-publishing

Enterprise Security Risk Management: Concepts and Applications

Name: Enterprise Security Risk Management: Concepts and Applications
SKU: DR886
Availability: InStock

$69.99

As a security professional, have you found that you and others in your company do not always define “security” the same way? Perhaps security interests and business interests have become misaligned. Brian Allen and Rachelle Loyear offer a new approach: Enterprise Security Risk Management (ESRM). By viewing security through a risk management lens, ESRM can help make you and your security program successful.

SKU: DR886 Category: Books Tags: ASIS International, Brian Allen, CFE, converged security team, corporate governance, CPP, cybersecurity framework, enterprise risk management, Enterprise Security Risk Management, ESRM, ESRM and physical security, ESRM cycle, ESRM life cycle, ESRM lifecycle, global risk environment, Global Security Risk Management Alliance, GSRMA, incident response, NIST cybersecurity framework, physical security, Rachelle Loyear, return on security investment, risk awareness, risk identification, Risk Management, risk matrix, risk mitigation, risk principles, risk tolerance metrics, risk transparency, risk treatment, role of security, security budgeting, security convergence, security council, security investigation, security management, security practitioner, security professional, security team, security' Product ID: 16517

Description

Brian Allen and Rachelle Loyear cover Enterprise Security Risk Management (ESRM) concepts and step-by-step application in the real world. This book also uses fundamental risk principles to manage all security risks. Whether the risks are informational, cyber, physical security, asset management, or business continuity, all are included in the holistic, all-encompassing ESRM approach. Altogether, this book will help you move from task-based to risk-based security.

How is ESRM familiar?

As a security professional, you may already practice some of the components of ESRM. For example, risk identification, risk transfer and acceptance, crisis management, and incident response.

How is Security Risk Management for enterprises new?

While many of the principles are familiar, the authors have identified few organizations that set the example for ESRM. These organizations apply the concepts in a more comprehensive, holistic way, making it easier to communicate to key decision-makers. For this reason, this new way of security risk management helps enterprises be ready in the face of security risks.

How is risk and security management practical for enterprises?

ESRM offers you a straightforward, realistic, actionable approach to deal effectively with all the distinct types of security risks facing you as a security practitioner. Enterprise security risk management is performed in a life cycle of risk management. For example, it includes:

Asset assessment and prioritization.
Risk assessment and prioritization.
Risk treatment (mitigation).
Continuous improvement.

Throughout Enterprise Security Risk Management: Concepts and Applications, Brian Allen and Rachelle Loyear give you the tools and materials that will help you advance you in the security field, no matter if you are a student, a newcomer, or a seasoned professional. Included in this book are realistic case studies, questions to help you assess your own security program, thought-provoking discussion questions, useful figures and tables, and references for your further reading.

By redefining how everyone thinks about the role of security in the enterprise, your security organization can focus on working in partnership with business leaders and other key stakeholders to identify and mitigate security risks. As you begin to use ESRM, following the instructions in this book, you will experience greater personal and professional satisfaction as a security professional – and you’ll become a recognized and trusted partner in the business-critical effort of protecting your enterprise and all its assets.

Click HERE to buy the eBook from Google Books

January 2018, 422 pages

(PDF eBook) ISBN 9781944480431
ISBN 9781944480424 (EPUB)
ISBN 9781944480448 (Print)

About the Authors

Brian Allen has more than 20 years’ experience in virtually every aspect of the security field. He most recently held the position of Chief Security Officer (CSO) with Time Warner Cable (TWC), a leading multinational provider of telecommunications, information, and entertainment services headquartered in New York City. In this role, he was responsible for protecting TWC’s assets worldwide, coordinating the company’s crisis management and business continuity management (BCM) programs, managing TWC’s cybersecurity policy and leading its security risk management program. He managed the company’s security policy and relations with law enforcement and government authorities, as well as all customer security risk issues, oversaw internal and external investigations, and headed the company’s workplace violence program.

Before joining TWC in January 2002, he was Director of the Office of Cable Signal Theft at the National Cable and Telecommunications Association in Washington, D.C., and the owner of ACI Investigations, a multimillion-dollar provider of security guard, investigations, and consulting services.

Brian earned his Bachelor of Science degree in criminal justice from Long Island University and received his Juris Doctor degree from Touro Law Center in New York. He is a member of the New York State Bar Association, a Certified Protection Professional (CPP) with ASIS, a Certified Information Systems Security Professional (CISSP) with ISC2, a Certified Fraud Examiner (CFE) with the ACFE and a Certified Information Security Manager (CISM) withISACA. Brian is also a member of the International Security Management Association and the Association of Threat Assessment Professionals.

Brian is an Adjunct Professor at the University of Connecticut, School of Business MBA Program and is active in industry organizations. He served as a member of the Communications Infrastructure Reliability and Interoperability Council (CSRIC), an FCC appointed position, and co-chaired its working group on Cybersecurity Best Practices and the Cybersecurity Framework. He is also one of four elected communications company representatives to serve on the Executive Committee of the US Communications Sector Coordinating Council (CSCC). He works with the Cross Sector Cybersecurity Working Group, established by the U.S. Department of Homeland Security (DHS) under the Critical Infrastructure Partnership Advisory Council.

Brian has served on the board of directors of ASIS International, and the board of trustees of ASIS International’s Foundation. He is currently a member of the Board of Directors of the Domestic Violence Crisis Center in Connecticut.

Rachelle Loyear has spent over a decade managing various projects and programs in corporate security organizations, focusing strongly on business continuity and organizational resilience. In her work life, she has directed teams responsible for ensuring resilience in the face of many different types of security risks, both physical and logical. Her responsibilities have included: Security/BCM program design and development; crisis management and emergency response planning; functional and location-based recovery and continuity planning; crisis management and continuity training and operational continuity
exercises; and logistical programs, such as public/private partnership relationship management and crisis recovery resource programs.

She began her career in information technology (IT), working in programming and training design at an online training company, prior before moving into the telecommunications industry. She has worked in various IT roles – including Web design, user experience, business analysis, and project management – before moving into the security/business continuity arena. This diverse background enables her to approach security, risk, business continuity, and disaster recovery with a broad methodology that melds many aspects into a cohesive whole.

Rachelle holds a bachelor’s degree in history from the University of North Carolina at Charlotte, and a master’s degree in business administration from the University of Phoenix. She is certified as a Master Business Continuity Professional (MBCP) through DRI International, as an Associate Fellow of Business Continuity International (AFBCI), as a Certified Information Security Manager (CISM) through ISACA, and as a Project Management Professional (PMP) through the Project Management Institute (PMI). She is active in multiple BCM industry groups, and is vice-chair of the Crisis Management and Business Continuity Council of ASIS International as well as serving on the IT Security Council.

Excerpt from the Foreword by Ray O'Hara, CPP

Enterprise security risk management (ESRM) has long been in the shadows of the security industry, often mentioned but never documented. With this book, Enterprise Security Risk Management: Concepts and Applications, security practitioners will be able to support the growing importance of an evolving global security program for all enterprises around the world. I admire the authors, Rachelle Loyear and Brian Allen, for the work they have put in this book. It’s funny how you choose your friends in life, and often they become life-long friends. In our case, we are close friends and business colleagues who all have a desire to share our knowledge with others and to lead our industry. Rachelle and Brian are two professionals with a relentless desire to help others be successful. If I had met them earlier in my career, my life would have been better for it.

Three things stand out for me as the core components of the book: enterprise, security risk, and risk principles. If nothing else, understanding these three concepts and being able to articulate what they mean in a business setting will advance your career and enhance your business acumen. If you are serious about your career and want to lead this industry, this book will help you to do that. We need leaders to take us to the next level – promoting ESRM in your organization and the business community will help to do that. From time to time, all of us have said, “If only I had known this years ago.” Through this book, this is your chance to know it now and become that change agent our industry needs!

I am honored to have been selected to write this foreword. Rachelle and Brian would probably say that I mentored them. That may be partially true, but we really mentored each other. Now we are on this journey mentoring others, which is proving to be extremely rewarding as we go along this path. We have formed an alliance called the Global Security Risk Management Alliance (www.gsrma.net). In GSRMA, our sole purpose is to educate others on the merits of ESRM. Some readers of this foreword may know me, while others might recognize my name, since I am very active in our industry internationally and am a former President of ASIS International. I speak frequently and I am vocal advocate for ESRM in the security industry. I consider this book, the first of its kind in our industry, to be a critical component of our efforts as security professionals to protect our people and assets around the world.

Ray O’Hara, CPP

Executive Vice President at AS Solution

President and Co-founder, Global Security Risk Management Alliance

Past President, ASIS International

Las Vegas, Nevada, USA

September 2017

Excerpt from the Foreword by Tim McCreight, MSc CISSP CPP CISA

Over the years, I have become a big fan of the writings and presentations of Brian Allen and Rachelle Loyear on enterprise security risk management (ESRM). They are outstanding professionals in their field, and the information they have shared is quickly becoming required reading, at least in the circle of security professionals I hang out with. As a board member of ASIS International, I have observed how the organization appears to be using Brian and Rachelle’s work to develop material for the global membership to relaunch and refocus their efforts toward ESRM.

Throughout my career, I’ve tried (sometimes not very successfully) to incorporate many of the principles and practices Rachelle and Brian discuss in this new book, Enterprise Security Risk Management: Concepts and Applications. When I met resistance within the organization, I realize now that I was not following the methodology that they describe and illustrate in the following pages. I wish I could have referred to this content about 15 years ago – I could have saved myself a lot of sleepless nights and pointless debates with folks not familiar with security or risk.

This book’s understanding of what a successful ESRM program looks like is compelling and represents something we as a profession must strive to achieve. In my opinion, we’re past the days when a security professional can develop a security program based on a silo approach to protecting assets. I agree that it’s time to replace the views we held in the past with the approach and vision described by Rachelle and Brian. We must change our approach to security and move in the direction of ESRM, or risk becoming insignificant to our organizations in the next 5 to 10 years.

That’s a strong warning, but Rachelle and Brian have realized the urgency of the situation, and you can see it in the way their explanation of ESRM unfolds. From exploratory discussions about ESRM and what it is (and isn’t) through to the ongoing maintenance and support of a successful ESRM deployment, the text really develops a methodical approach that any security professional can follow. There’s no hype or drama, and their examples bring practical advice we can all use in our journey to ESRM.

If you’re a security professional looking toward the future and wondering how we as a profession will succeed – read this book. If you’re looking for an opportunity to broaden your understanding of how ESRM truly supports the business – read this book. And if you’re looking to create your own path for future success – well, you know my thoughts.

Tim McCreight, MSc CISSP CPP CISA

Director, Strategic Alliances

Hitachi Systems Security

Member, ASIS International Board of Directors

Calgary, Alberta Canada

September 2017

Excerpt from Chapter 22: Reporting and Metrics That Matter

Just as it is crucial for you to gain executive and strategic partner support for implementing your enterprise security risk management (ESRM) program, you also need to engage them through regular communications, metrics, and reports on program progress. In this chapter, you will see how reporting metrics in an ESRM implemented program is different from how metrics traditionally are looked at in many security programs. Then you will dig into some specifics of how to present risk-based data and information to your direct management, strategic partners, and executives to allow them to monitor and measure the success of the ESRM program.

This chapter will help you to:

Understand the different reports and metrics to use to communicate with different audiences.
Build effective metrics and reports for measuring your ESRM program.
Tailor your message so that it neither over-communicates nor under-communicates to your intended audience.
Build strategic reports that your partners and leaders can use to understand their risk condition.

22.1 Why are Security Metrics Important?

Security metrics are important because a risk-based security program is centered on the need for business leaders to set risk tolerance, making risk decisions to ensure that the business is operating within that tolerance. Thus, a key piece of your ongoing ESRM program is to continually communicate the status of all enterprise security risk as it relates to the set tolerance. Besides that, in almost every business organization, the bedrock upon which most strategic and tactical decisions are made is made up of the daily, weekly, monthly, quarterly, and annual reports that go from the lowest levels of the organization up to the highest. Your message needs to be clearly and appropriately crafted to show your audiences exactly what they need to know about the status of security risk as it pertains to them and the decisions they need to make.

Of course, not all your audiences need the same information. Some of the people you need to communicate to are making more tactical choices and will need more task-oriented details. These audiences might include:

The functional leaders to whom security reports, who control the budget, payroll, and expenses for the security group.
Asset owners, who provide direct financial support for some of the risk mitigation activities that the security team carries out.
Security department personnel, who need to understand what others in the security department are doing.
Procurement teams, who work on hardware, software, and personnel contracts for the security team.

Those groups need a different level of data and information than audiences who operate with a more strategic outlook for the enterprise:

The board of directors or other leadership/owner group, tasked with ensuring oversight of all enterprise risk.
Company senior executives, who need to understand the overall security risk picture.
The security council, who will want to understand how the program is managing various security risks, and how the risk tolerances are being maintained.
Your functional area strategic partners in the enterprise, who will need to know the status of the security risks impacting their area.

Questions for the Security Practitioner

“What security metrics and reports do I currently build? Do I think that the audience reading them can use any of it to make business decisions?”
“What are the security aspects that I would like to make my stakeholders aware of? Am I conveying what I want them to know in my reports?

Regardless of the audience, in an ESRM environment, you will report on risks or groups of risks that are:

Associated with an asset or departmental group of assets.
Tied to the risk interests, concerns, and the appropriateness of the risk owner or stakeholder.
Applied to a business-defined risk tolerance.

Such reporting will drive the metrics that you deliver in a contextual way, focused on audience needs…

Enterprise Security Risk Management: Concepts and Applications