Welcome to Rothstein Publishing!

Enterprise Security Risk Management: Concepts and Applications


As a security professional, have you found that you and others in your company do not always define “security” the same way? Perhaps security interests and business interests have become misaligned. Brian Allen and Rachelle Loyear offer a new approach: Enterprise Security Risk Management (ESRM). By viewing security through a risk management lens, ESRM can help make you and your security program successful.


Brian Allen and Rachelle Loyear cover Enterprise Security Risk Management (ESRM) concepts and step-by-step application in the real world. This book also uses fundamental risk principles to manage all security risks. Whether the risks are informational, cyber, physical security, asset management, or business continuity, all are included in the holistic, all-encompassing ESRM approach. Altogether, this book will help you move from task-based to risk-based security.

How is ESRM familiar?

As a security professional, you may already practice some of the components of ESRM. For example, risk identification, risk transfer and acceptance, crisis management, and incident response.

How is Security Risk Management for enterprises new?

While many of the principles are familiar, the authors have identified few organizations that set the example for ESRM. These organizations apply the concepts in a more comprehensive, holistic way, making it easier to communicate to key decision-makers. For this reason, this new way of security risk management helps enterprises be ready in the face of security risks.

How is risk and security management practical for enterprises?

ESRM offers you a straightforward, realistic, actionable approach to deal effectively with all the distinct types of security risks facing you as a security practitioner. Enterprise security risk management is performed in a life cycle of risk management. For example, it includes:

  • Asset assessment and prioritization.
  • Risk assessment and prioritization.
  • Risk treatment (mitigation).
  • Continuous improvement.

Throughout Enterprise Security Risk Management: Concepts and Applications, Brian Allen and Rachelle Loyear give you the tools and materials that will help you advance you in the security field, no matter if you are a student, a newcomer, or a seasoned professional. Included in this book are realistic case studies, questions to help you assess your own security program, thought-provoking discussion questions, useful figures and tables, and references for your further reading.

By redefining how everyone thinks about the role of security in the enterprise, your security organization can focus on working in partnership with business leaders and other key stakeholders to identify and mitigate security risks. As you begin to use ESRM, following the instructions in this book, you will experience greater personal and professional satisfaction as a security professional – and you’ll become a recognized and trusted partner in the business-critical effort of protecting your enterprise and all its assets.


Click HERE to buy the eBook from Google Books

January 2018, 422 pages

(PDF eBook) ISBN 9781944480431
ISBN 9781944480424 (EPUB)
ISBN 9781944480448 (Print)


About the Authors

Brian Allen has more than 20 years’ experience inbrian allen virtually every aspect of the security field. He most recently held the position of Chief Security Officer (CSO) with Time Warner Cable (TWC), a leading multinational provider of telecommunications, information, and entertainment services headquartered in New York City. In this role, he was responsible for protecting TWC’s assets worldwide, coordinating the company’s crisis management and business continuity management (BCM) programs, managing TWC’s cybersecurity policy and leading its security risk management program. He managed the company’s security policy and relations with law enforcement and government authorities, as well as all customer security risk issues, oversaw internal and external investigations, and headed the company’s workplace violence program.

Before joining TWC in January 2002, he was Director of the Office of Cable Signal Theft at the National Cable and Telecommunications Association in Washington, D.C., and the owner of ACI Investigations, a multimillion-dollar provider of security guard, investigations, and consulting services.

Brian earned his Bachelor of Science degree in criminal justice from Long Island University and received his Juris Doctor degree from Touro Law Center in New York. He is a member of the New York State Bar Association, a Certified Protection Professional (CPP) with ASIS, a Certified Information Systems Security Professional (CISSP) with ISC2, a Certified Fraud Examiner (CFE) with the ACFE and a Certified Information Security Manager (CISM) withISACA. Brian is also a member of the International Security Management Association and the Association of Threat Assessment Professionals.

Brian is an Adjunct Professor at the University of Connecticut, School of Business MBA Program and is active in industry organizations. He served as a member of the Communications Infrastructure Reliability and Interoperability Council (CSRIC), an FCC appointed position, and co-chaired its working group on Cybersecurity Best Practices and the Cybersecurity Framework. He is also one of four elected communications company representatives to serve on the Executive Committee of the US Communications Sector Coordinating Council (CSCC). He works with the Cross Sector Cybersecurity Working Group, established by the U.S. Department of Homeland Security (DHS) under the Critical Infrastructure Partnership Advisory Council.

Brian has served on the board of directors of ASIS International, and the board of trustees of ASIS International’s Foundation. He is currently a member of the Board of Directors of the Domestic Violence Crisis Center in Connecticut.

Rachelle Loyear has spent over a decaderachelle loyear managing various projects and programs in corporate security organizations, focusing strongly on business continuity and organizational resilience. In her work life, she has directed teams responsible for ensuring resilience in the face of many different types of security risks, both physical and logical. Her responsibilities have included: Security/BCM program design and development; crisis management and emergency response planning; functional and location-based recovery and continuity planning; crisis management and continuity training and operational continuity
exercises; and logistical programs, such as public/private partnership relationship management and crisis recovery resource programs.

She began her career in information technology (IT), working in programming and training design at an online training company, prior before moving into the telecommunications industry. She has worked in various IT roles – including Web design, user experience, business analysis, and project management – before moving into the security/business continuity arena. This diverse background enables her to approach security, risk, business continuity, and disaster recovery with a broad methodology that melds many aspects into a cohesive whole.

Rachelle holds a bachelor’s degree in history from the University of North Carolina at Charlotte, and a master’s degree in business administration from the University of Phoenix. She is certified as a Master Business Continuity Professional (MBCP) through DRI International, as an Associate Fellow of Business Continuity International (AFBCI), as a Certified Information Security Manager (CISM) through ISACA, and as a Project Management Professional (PMP) through the Project Management Institute (PMI). She is active in multiple BCM industry groups, and is vice-chair of the Crisis Management and Business Continuity Council of ASIS International as well as serving on the IT Security Council.

Excerpt from the Foreword by Ray O'Hara, CPP

Enterprise security risk management (ESRM) has long been in the shadows of the security industry, often mentioned but never documented. With this book, Enterprise Security Risk Management: Concepts and Applications, security practitioners will be able to support the growing importance of an evolving global security program for all enterprises around the world. I admire the authors, Rachelle Loyear and Brian Allen, for the work they have put in this book. It’s funny how you choose your friends in life, and often they become life-long friends. In our case, we are close friends and business colleagues who all have a desire to share our knowledge with others and to lead our industry. Rachelle and Brian are two professionals with a relentless desire to help others be successful. If I had met them earlier in my career, my life would have been better for it.

Three things stand out for me as the core components of the book: enterprise, security risk, and risk principles. If nothing else, understanding these three concepts and being able to articulate what they mean in a business setting will advance your career and enhance your business acumen. If you are serious about your career and want to lead this industry, this book will help you to do that. We need leaders to take us to the next level – promoting ESRM in your organization and the business community will help to do that. From time to time, all of us have said, “If only I had known this years ago.” Through this book, this is your chance to know it now and become that change agent our industry needs!

I am honored to have been selected to write this foreword. Rachelle and Brian would probably say that I mentored them. That may be partially true, but we really mentored each other. Now we are on this journey mentoring others, which is proving to be extremely rewarding as we go along this path. We have formed an alliance called the Global Security Risk Management Alliance (www.gsrma.net). In GSRMA, our sole purpose is to educate others on the merits of ESRM. Some readers of this foreword may know me, while others might recognize my name, since I am very active in our industry internationally and am a former President of ASIS International. I speak frequently and I am vocal advocate for ESRM in the security industry. I consider this book, the first of its kind in our industry, to be a critical component of our efforts as security professionals to protect our people and assets around the world.

Ray O’Hara, CPP

Executive Vice President at AS Solution

President and Co-founder, Global Security Risk Management Alliance

Past President, ASIS International

Las Vegas, Nevada, USA

September 2017

Excerpt from the Foreword by Jeff Spivey, CRISC, CPP, PSP

In their new book, Enterprise Security Risk Management: Concepts and Applications, Brian Allen and coauthor Rachelle Loyear – both seasoned security professionals – present the risk and security community with new opportunities based on an evolving security management framework. Forgetting the “old school” security formulas, the authors describe the global maturation of security risk management models for businesses.

Enterprise security risk management (ESRM) leaves behind the old and limited “guns, guards and gates” constructs of what security has been to explore what security can be as a part of the overall organizational risk management framework.

I urge that all senior management read and discuss Brian and Rachelle’s vision of what is possible from an organization supported by the right security risk management program positively impacting the achievement of business goals and therefore elevating shareholder value. Boards of directors, executive management, and business stakeholders will all benefit from exploring ESRM, as described in this book.

The authors describe in detail how ESRM can be applied in many areas of a company that relate to business risk, including business continuity, crisis management, cybercrime, workplace violence, cybersecurity and more. Insights will continue to be gained from the book as readers have new realizations that security risks throughout the organization have a significant positive and negative impact to the achievement of business goals.

Brian and Rachelle have presented a wealth of thought-provoking options for the reader, and I am confident that this book will add bottom line value to the companies which choose to understand and implement ESRM.

Jeff Spivey, CRISC, CPP, PSP

CEO and Founder,

Security Risk Management, Inc.

Board Director, ISACA International

Past President, ASIS International

Charlotte, North Carolina, USA

September 2017

Excerpt from the Foreword by Tim McCreight, MSc CISSP CPP CISA

Over the years, I have become a big fan of the writings and presentations of Brian Allen and Rachelle Loyear on enterprise security risk management (ESRM). They are outstanding professionals in their field, and the information they have shared is quickly becoming required reading, at least in the circle of security professionals I hang out with. As a board member of ASIS International, I have observed how the organization appears to be using Brian and Rachelle’s work to develop material for the global membership to relaunch and refocus their efforts toward ESRM.

Throughout my career, I’ve tried (sometimes not very successfully) to incorporate many of the principles and practices Rachelle and Brian discuss in this new book, Enterprise Security Risk Management: Concepts and Applications. When I met resistance within the organization, I realize now that I was not following the methodology that they describe and illustrate in the following pages. I wish I could have referred to this content about 15 years ago – I could have saved myself a lot of sleepless nights and pointless debates with folks not familiar with security or risk.

This book’s understanding of what a successful ESRM program looks like is compelling and represents something we as a profession must strive to achieve. In my opinion, we’re past the days when a security professional can develop a security program based on a silo approach to protecting assets. I agree that it’s time to replace the views we held in the past with the approach and vision described by Rachelle and Brian. We must change our approach to security and move in the direction of ESRM, or risk becoming insignificant to our organizations in the next 5 to 10 years.

That’s a strong warning, but Rachelle and Brian have realized the urgency of the situation, and you can see it in the way their explanation of ESRM unfolds. From exploratory discussions about ESRM and what it is (and isn’t) through to the ongoing maintenance and support of a successful ESRM deployment, the text really develops a methodical approach that any security professional can follow. There’s no hype or drama, and their examples bring practical advice we can all use in our journey to ESRM.

If you’re a security professional looking toward the future and wondering how we as a profession will succeed – read this book. If you’re looking for an opportunity to broaden your understanding of how ESRM truly supports the business – read this book. And if you’re looking to create your own path for future success – well, you know my thoughts.


Director, Strategic Alliances

Hitachi Systems Security

Member, ASIS International Board of Directors

Calgary, Alberta Canada

September 2017



Dedication. 3

Acknowledgments. 3

Foreword. 5

Foreword. 7

Foreword. 9

Part 1: Why Enterprise Security Risk Management (ESRM)?. 25

1: What is Enterprise Security Risk Management?. 28

1.1 ESRM Defined. 29

1.1.1 Enterprise. 29

1.1.2 Security Risk. 29

1.1.3 Risk Principles. 29

1.2 ESRM Overview.. 30

1.2.1 ESRM Mission and Goals. 30

1.2.2 ESRM Life Cycle – A Quick Look. 31

1.2.3 Your Role in ESRM… 31

1.3 Why is ESRM Important?. 32

1.3.1 Traditional Corporate Security Scenarios: Something is Missing. 34

1.3.2 ESRM as a Driver for Consistency. 34

1.4 What is ESRM Not?. 36

1.4.1 How is ESRM Different from Enterprise Risk Management (ERM)?. 36

Questions for Discussion. 40

References. 41

Learn More About It 41

2: How Can ESRM Help You?. 42

2.1 Security Function Professionals. 43

2.1.1 The Student 43 How Can ESRM Help You?. 43

2.1.2 The New Security Practitioner 44 How Can ESRM Help You?. 44

2.1.3 The Security Manager or Executive. 44 How Can ESRM Help You?. 44

2.1.4 The Transitioning Public Sector Professional 45 How Can ESRM Help You?. 45

2.2 Business Functional Professionals. 46

2.2.1 The Business Function Manager 46 How Can ESRM Help You?. 46

2.2.2 The Senior Executive. 47 How Can ESRM Help Your Organization?. 47

2.2.3 The Company Board of Directors. 47 How Can ESRM Help Your Organization?. 47

Questions for Discussion. 50

References. 51

3: How Can ESRM Help Your Security Program?. 52

3.1 The Traditional View of Security and Why the Industry Must Change. 53

3.1.1 The Traditional View of Security. 53 What Does Security Do? – The Answer from the Security Practitioner 53 What Does Security Do? – The Answer from the Board of Directors and Senior Executives. 54

3.1.2 Why the Security Industry Needs to Define “Security”. 54

3.1.3 The ESRM View of Security – A Profession, not a Trade. 55 Managing Security Risks. 56

3.1.4 ESRM-Based Security – Moving from Task Management to Risk Management 56 Security Task Management 56 Security Risk Management 57 The ESRM Solution: A New Philosophy. 57

3.1.5 Why Is the Traditional Approach to Security So Frustrating for So Many People?. 57 The Missing Network Switch: A Story of Security Frustration. 58 The Traditional Security Environment 58 The ESRM Security Environment 60 The ESRM Difference. 60

3.2 The Evolving Global Risk Environment is Driving Industry to Risk Management Postures. 61

3.2.1 Security and Risk Threats are Real 61

3.2.2 The Risk Conversation is Changing Rapidly. 62

3.3 What Does “Security Success” Look Like?. 63

3.3.1 Success is Not Just Measured by Numbers. 63

3.3.2 In Security Success, Intangibles are Important 63

3.3.3 Your Answers Create Your Definition of “Success”. 64

3.3.4 The Security Professional and the Business Leader: Using ESRM to Move Beyond Frustration to Success. 65

3.3.5 The ESRM Philosophy of Security Success. 65 Security Becomes Strategic. 66 Security Becomes a Business Function. 67

Questions for Discussion. 69

References. 70

Learn More About It 70

Part 2: The Fundamentals of ESRM… 72

4: Preparing for an ESRM Program.. 74

4.1 Understand the Business and its Mission. 75

4.1.1 Holistic Understanding of Risk. 75

4.1.2 The Needs of Your Business. 77

4.1.3 Sources of Information. 78 Company Insiders. 78 Company Published Communications. 79 Outsiders and The Media. 80 Observing Non-Verbal Communication – The Underlying Culture. 80

4.2 Understand the Business Environment 82

4.2.1 Examining the Environment the Business Operates In. 83

4.3 Understand Your Stakeholders. 85

4.3.1 What is a Stakeholder?. 85 Finding Your Stakeholders: A Closer Look. 86

4.3.2 Why Stakeholders Matter 87 Risk Stakeholder Conflict 88

Questions for Discussion. 91

References. 92

Learn More About It 92

5: The ESRM Cycle – An Overview.. 94

5.1 What is ESRM? – A Closer Look. 95

5.1.1 Similarities to Industry Life Cycles. 96

5.1.2 Application of the ESRM Model 98

5.2 The ESRM Life Cycle Model in Action. 99

5.2.1 A Task Management Approach. 99

5.2.2 An ESRM Approach. 99

5.3 ESRM is Cyclical, But Not Always Sequential 101

Questions for Discussion. 105

References. 106

6: The ESRM Cycle – Step 1: Identify and Prioritize Assets. 108

6.1 Step 1 – Identify and Prioritize Assets. 109

6.2 What is an Asset?. 109

6.2.1 How Do You Identify Business Assets?. 110 Finding Tangible Assets. 110 Finding Intangible Assets. 111

6.2.2 Who Really “Owns” an Asset?. 112 A Building. 112 A Server 113 The Web of Assets and Asset Owners/Stakeholders. 114

6.3 How Do You Assign Value to Assets?. 115

6.3.1 Simple Tangible Asset Valuation (Two Methods) 115

6.3.2 Complex Tangible Asset Valuation. 115

6.3.3 Intangible Asset Valuation (Three Methods) 116

6.3.4 Business Impact Analysis (BIA) 118

6.4 How Do You Prioritize Assets for Protection?. 118

6.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?. 119

Questions for Discussion. 121

References. 122

Learn More About It 122

7: The ESRM Cycle – Step 2: Identify and Prioritize Security Risks. 124

7.1 Identify and Prioritize Security Risks. 125

7.2 What is Risk?. 125

7.2.1 The Risk Triangle. 126

7.3 The Risk Assessment Process. 127

7.3.1 ISO Standard and Good Practices. 127 The ESRM Difference. 127

7.4 Risk Identification – Finding all the Risks. 128

7.5 Prioritizing Risks for Mitigation. 129

7.5.1 Presenting a Risk Matrix. 129 Education vs. Fear 130 Building a Matrix. 130 Building a Heat Map. 132 Security Risk Decision-Making. 132

7.5.2 Conflicts in Risk Prioritization. 133 The Role of Security. 134 The Role of the Asset Owner 136

Questions for Discussion. 139

References. 140

Learn More About It 140

8: The ESRM Cycle – Step 3: Mitigate Prioritized Risks. 142

8.1 Mitigate Prioritized Risks. 143

8.2 Risk Management and Mitigation Responses in Existing Industry Standards. 144

8.2.1 The ISO Risk Management Standard. 146

8.2.2 The ESRM Difference. 146

8.3 Risk Treatment Options. 147

8.4 Risk Mitigation Decisions. 147

8.4.1 Conflicts in Risk Mitigation Decisions. 148

Questions for Discussion. 151

Learn More About It 152

9: The ESRM Cycle – Step 4: Improve and Advance. 154

9.1 Improve and Advance. 155

9.2 Incident Response. 155

9.3 ESRM Investigations and Root Cause Analysis. 157

9.3.1 Performing a Root Cause Analysis. 158

9.4 Ongoing Security Risk Assessment 159

9.4.1 Sources of Risk Awareness. 160

9.4.2 Reporting and Employee Vigilance. 161

Questions for Discussion. 163

References. 164

Learn More About It 164

Part 3: Designing a Program That Works for Your Enterprise. 166

10: Designing an ESRM Program to Fit Your Enterprise. 168

10.1 Design Thinking – A Conceptual Model for Your ESRM Program.. 169

10.2 The Phases of Design Thinking. 170

10.2.1 Empathize Phase. 170

10.2.2 Define Phase. 171

10.2.3 Ideate Phase. 171

10.2.4 Prototype Phase. 172

10.2.5 Test Phase. 172

10.3 ESRM Program Rollout in a Formal Design Thinking Model 172

10.3.1 Educate and Involve the Stakeholders (Empathy) 173

10.3.2 Iterate the Process (Your Definition and Prototypes) 175

10.3.3 Mature the Process (Testing and Feedback) 176

10.3.4 Expand the Process (Begin Again with a Larger Scope) 177

Questions for Discussion. 179

References. 180

Learn More About It 180

11: Rolling Out Your ESRM Program.. 182

11.1 Rolling out ESRM in the Real World – A Story. 183

11.1.1 Step 1: Understanding the Current Environment and the Current Challenges (Empathy with Our Security Team) 183 A Deeper Dive (Even More Empathy) 184

11.1.2 Step 2: Communicating with the Business and Other Stakeholders  (Empathy with Our Strategic Partners) 186

11.1.3 Step 3: Creating a Roadmap for the Program Rollout (Ideation and Brainstorming) 187

11.1.4 Step 4: Piloting the Program (Prototyping and Feedback) 188

11.1.5 Step 5: Implementation and Evolution Across the Enterprise. 190

11.2 ESRM Program Rollout Checklist 190

Questions for Discussion. 195

Learn More About It 196

Part 4: Making ESRM Work for Your Organization. 198

12: ESRM Essentials for Success. 200

12.1 Transparency. 201

12.1.1 Risk Transparency. 201

12.1.2 Process Transparency. 202

12.2 Independence. 204

12.3 Authority. 207

12.4 Scope. 208

12.5 Parallels with Other Risk-Based Functions. 210

12.5.1 What Are Audit, Legal, and Compliance?. 210

12.5.2 What do Legal, Audit and Compliance Functions Need for Success?. 211

Questions for Discussion. 214

References. 215

Learn More About It 215

13: Security Governance. 218

13.1 What is Corporate Governance?. 219

13.1.1 Defining Corporate Governance. 219

13.1.2 Why is Corporate Governance Important?. 219

13.1.3 Common Themes in Corporate Governance. 220

13.2 The Security Council: ESRM Governance. 223

13.2.1 Who is the ESRM Security Council?. 224

13.2.2 The Security Council’s Role in ESRM… 224

13.2.3 Setting Up a Security Council 224 Step 1: Define the Council Structure that Will Best Serve Enterprise Needs. 225 Step 2: Define the Security Council Stakeholders. 226 Step 3: Define the Mission, Objectives, and Goals of the Security Council and Document Them in a Council Charter 227 Step 4: Define Measurements/Project Key Performance Indicators (KPIs) for ESRM… 227 Step 5: Develop a List of Potential Quick “Wins” for the ESRM Program.. 227 Step 6: Begin the Process of Meeting, Reviewing, and Directing the Program According to the Council Charter. 227

13.2.4 Security’s Role on the Security Council: What It Is and What It Is Not 228

Questions for Discussion. 232

References. 233

Learn More About It 234

14: The Security Organization. 236

14.1 Where Should Security Report in an Organization Structure?. 237

14.1.1 Determining the Optimal Security Organization Reporting Lines. 238 Question 1 – What Does Security Need to be Successful?. 238 Question 2 – Which Lines of Reporting Carry Obvious Conflicts?. 238 Question 3 – What Reporting Structures are Available in This Enterprise?. 238

14.2 The Greatest Success Comes with the Greatest Independence. 239

14.3 Security Organization Internal Structure. 240

14.3.1 Defining Strategic Leadership Roles. 241 Aligning Tactical Skillsets with Strategic Management 242 Transitioning Yourself from a Tactical Practitioner to a Strategic Leader 243

Questions for Discussion. 245

Learn More About It 246

Part 5: An ESRM Approach to Tactical Security Disciplines. 248

15: ESRM and Investigations. 250

15.1 How does the Investigations Discipline Fit in the ESRM Life Cycle?. 251

15.2 An Investigation is an Incident Response. 252

15.3 An Investigation is the Source of Root Cause Analysis. 253

15.3.1 Identifying Root Causes Through Security Investigations. 254 Preparing for a Risk-Based Investigation. 254 During an ESRM Investigation. 255

15.3.2 Reporting Root Causes After a Security Investigation. 257

15.4 Investigations Drive Ongoing Risk Assessment 257

15.4.1 Postmortem Reporting and Responsibilities. 258 Security Role and Responsibilities. 258 Strategic Partner Role and Responsibilities. 259

15.5 A Deeper Look at the Role of Investigations in ESRM… 259

15.5.1 Comparing Traditional and ESRM Investigations. 259 One Successful Outcome. 261 All Successful Outcomes May Not Look the Same. 261

15.5.2 The ESRM Difference. 262 A Difference in Focus: Fact-Finding Versus Risk Identification. 262 A Difference in Goals – Accountability versus Risk Mitigation. 263

Questions for Discussion. 267

Learn More About It 268

16: ESRM and Physical Security. 270

16.1 How does the Physical Security Discipline Fit in the ESRM Life Cycle?. 271

16.2 Physical Security Activities Help Identify and Prioritize Assets. 271

16.3 Physical Security Activities Help to Identify and Prioritize Risks. 273

16.4 Physical Security Activities Serve to Mitigate Prioritized Risks. 274

16.4.1 Turning a Task into a Security Risk Mitigation Activity. 275

16.5 Physical Security Provides First Line Incident Response. 276

16.6 Physical Security Provides Input to Ongoing Risk Assessment 277

16.7 A Deeper Look at the Role of Physical Security in ESRM… 278

16.7.1 Comparing Traditional and ESRM Physical Security Methods. 278 One Successful Outcome. 280 All Successful Outcomes May Not Look the Same. 280

16.7.2 The ESRM Difference. 281 A Difference in Perception. 281 A Difference in Approach: Risk Management as a Positive Practice. 281

Questions for Discussion. 285

Learn More About It 286

17: ESRM and Cybersecurity and Information Security. 288

17.1 How does Cyber and Information Security Fit in the ESRM Life Cycle?. 289

17.1.1 The ESRM Cycle and the NIST Cybersecurity Framework. 289 Identify. 290 Protect 291 Detect 291 Respond. 292 Recover 292

17.2 Identifying and Prioritizing Assets in the Cyber Environment 292

17.3 Identifying and Prioritizing Risks in the Cyber Environment. 294

17.3.1 Risk in Cyber and Information Security. 294

17.4 Mitigate Prioritized Risks. 295

17.4.1. Risk Mitigation Planning: The Cybersecurity Framework. 296 Performing a Gap Analysis for Risk Mitigation Planning. 296

17.5 Improve and Advance. 298

17.5.1 Using the NIST Framework to Improve and Advance. 298

17.6 A Deeper Look at the Role of Cyber and Information Security in ESRM… 299

17.6.1. Operational Technology – More than Just Data. 300

Questions for Discussion. 304

References. 305

Learn More About It 305

18: ESRM and Workplace Violence and Threat Management 306

18.1 How does Workplace Violence Prevention and Threat Management Fit in the ESRM Life Cycle?. 307

18.2 Identifying and Prioritizing Assets in Workplace Violence Prevention and Threat Management Programs. 308

18.2.1 Asset Owners and Stakeholders: Everyone Owns Workplace Violence Prevention, Not Just Security. 309

18.3 Identifying and Prioritizing Risks in Workplace Violence Prevention and Threat Management Programs. 311

18.4 Mitigate Prioritized Risks Through Workplace Violence Prevention and Threat Management Program Design. 312

18.5 Incident Response in Workplace Violence Prevention and Threat Management Programs. 314

18.6 Root Cause Analysis in Workplace Violence Prevention and Threat Management Programs. 315

18.7 Ongoing Risk Assessment in Workplace Violence Prevention and Threat Management Programs. 316

18.8 A Deeper Look at the Role of Workplace Violence Prevention and Threat Management in ESRM… 318

18.8.1 A Difference in Focus: Holistic Workplace Violence Prevention and Threat Management Programs vs. Workplace Violence Response Training. 318

18.8.2 A Difference in Culture – Workplace Violence Awareness. 320

Questions for Discussion. 324

References. 325

19: ESRM and Business Continuity and Crisis Management 327

19.1 How does Business Continuity and Crisis Management Fit in the ESRM Life Cycle?. 328

19.2 Identifying and Prioritizing Assets and Risks in a Business Continuity and Crisis Management Program.. 329

19.3 Mitigating Prioritized Risks in a Business Continuity and Crisis Management Program.. 331

19.4 Incident Response in a Business Continuity and Crisis Management Program.. 332

19.5 Root Cause Analysis in a Business Continuity and Crisis Management Program.. 333

19.6 Ongoing Risk Assessment in a Business Continuity and Crisis Management Program.. 333

19.7 A Deeper Look at the Role of Business Continuity and Crisis Management in ESRM… 334

19.7.1 A Difference in Authority – Getting Traction. 335

19.7.2 A Difference in Transparency – Driving Acceptance Through Simplification. 335

19.7.3 A Difference in Independence – Ensuring Participation Through an Overarching Program.. 336

19.7.4 A Difference in Scope – Leveraging Resources for Success. 336

Questions for Discussion. 340

References. 341

Learn More About It 341

Part 6: ESRM Program Performance and Evaluation. 343

20: ESRM for Business Executives and Boards of Directors. 345

20.1 What do the executives need to know about ESRM?. 346

20.1.1 Point 1 for Executives – Understand What ESRM is and the Value of Implementing ESRM Within the Organization  346

20.1.2 Point 2 for Executives – Understand the Underlying Philosophy of ESRM and the Role of Security. 346

20.1.3 Point 3 for Executives – Essential Requirements for Security Success To communicate the basics of the ESRM philosophy, you will need to make sure your executives have a good understanding of the essential foundational elements of a successful ESRM program, which are: 347 Transparency. 348 Independence. 348 Authority. 348 Scope. 348

20.1.4 Point 4 for Executives – Understand ESRM Parallels with Other Risk-Based Functions. 349

20.1.5 Tailoring the Conversation. 349

20.2 What is the Role of Executives in an ESRM Program?. 352

20.2.1 The Executive Role of Ensuring a Definition of Security Success. 352

20.2.2 The Executive Role of Ensuring the Correct Security Skillsets. 353

20.2.3 The Executive Role of Ensuring the Essentials for Success are in Place. 355

20.2.4 The Executive Role of Ensuring the Correct Reporting Structure. 355

20.2.5 The Executive Role of Ensuring that the Board or Enterprise Ownership is Aware of the Role of Security and of Security Risks as a Business-Critical Topic. 356

20.3 What Should Executives and Boards of Directors Expect From ESRM?. 357

20.3.1 Reporting and Metrics. 357

20.3.2 Transparency of Risk. 357

20.3.3 Communications, Notifications, and Awareness. 358

Questions for Discussion. 360

References. 361

Learn More About It 361

21: Security Budgeting Process. 363

21.1 How has Security Budgeting been Approached Before?. 364

21.1.1 Fear, Uncertainty, Doubt – The FUD Factor 364

21.1.2 Making the Best of What You are Given, and the “Blame Game”. 365

21.1.3 Return on Security Investment 367 Return on (Non-Security) Investment 367 Whose “Return” is It?. 368

21.2 The ESRM Approach to Security Budgeting. 368

21.2.1 Value Chain Theory. 369 Increasing Value to your Primary Function Strategic Partners. 370 Is Security a Support or Primary Activity?. 372

21.3 Changing from a Traditional Security Budget to an ESRM Budget 373

21.3.1 Discover Existing Security Tasks and Activities. 373

21.3.2 Personnel Discovery. 374

21.3.3 Financial Discovery. 374

21.3.4 Building the Unified Budget 376

21.4 Ongoing/Annual Budgeting. 376

21.4.1 Budget Updates. 376

21.4.2 Budget Decision Making and Risk Tolerance. 377

21.5 Procurement Partnerships and the Role of Procurement in the Budget Process. 377

Questions for Discussion. 380

References. 381

Learn More About It 381

22: Reporting and Metrics That Matter 383

22.1 Why are Security Metrics Important?. 384

22.2 What is the Traditional View of Security Metrics Reporting?. 385

22.3 What is the ESRM View of Security Metrics Reporting?. 386

22.3.1 Metrics of Risk Tolerance. 387 Metrics of Risk Tolerance for Security Disciplines. 388

22.3.2 Metrics of Security Efficiency. 388

22.3.3 Comparing ESRM and Traditional Security Reporting. 390

22.4 Building Metrics Reports. 392

22.4.1 Communicating to an Executive Audience. 392 Planning a Security Report for Executives. 392 Building a Security Report for Executives. 393

22.4.2 Communicating to the Security Council Audience. 393 Planning a Security Report for the Security Council 393 Building a Security Report for the Security Council 394

22.4.3 Communicating to a Strategic Partner Audience. 394 Planning a Security Report for Strategic Partners. 394 Building a Security Report for Strategic Partners. 395

22.4.4 Communicating to Security Functional Leadership. 395 Planning a Security Report for Security Management 395 Building a Security Report for Security Management 396

Questions for Discussion. 398

Learn More About It 399

23: ESRM and the Path to Security Convergence. 401

23.1 The Common View of Security Convergence. 402

23.1.1 Technological Convergence. 402

23.1.2 Organization Convergence. 403

23.2 The ESRM View of Security Convergence. 404

23.2.1 Convergence of Philosophy. 404

23.3 Why ESRM Often Leads to Converged Organizations. 405

23.3.1 Changed Understanding of Roles Leads to Changed Structures. 405

23.3.2 Changed Understanding of Risks Leads to Changed Structures. 406

23.3.3 Changed Understanding of Practices Leads to Changed Structures. 406

23.3.4 The Convergence Decision. 407

23.4 The Benefits of a Converged Organization in an ESRM Security Program.. 407

23.4.1 The Converged Security Team Aligns All Security with the Enterprise Business Mission. 407

23.4.2 The Converged Security Team Helps Change the Perception of Security. 408

23.4.3 A Converged Security Program Unifies Security Awareness Efforts. 408

23.4.4 A Converged Security Program Reduces Employee Confusion. 408

23.4.5 A Converged Security Program Promotes Efficiency of Security Operations. 409

23.4.6 A Converged Security Program Optimizes the Risk Profile. 410

23.5 The Challenges of Converging an Organization in an ESRM Security Program.. 411

23.5.1 The “Culture” Challenge. 411

23.5.2 The “Control” Challenge. 412

23.5.3 The “Different Tasks” Challenge. 413

23.6 Executive Leadership of a Converged Organization in an ESRM Environment 414

23.6.1 CSO Requirements in a Converged ESRM Organization. 414

23.7 If Your Enterprise Chooses to Converge. 415

Questions for Discussion. 417

References. 418

Learn More About It 418

Credits. 419

About the Authors. 421

Excerpt from Chapter 22: Reporting and Metrics That Matter

Just as it is crucial for you to gain executive and strategic partner support for implementing your enterprise security risk management (ESRM) program, you also need to engage them through regular communications, metrics, and reports on program progress. In this chapter, you will see how reporting metrics in an ESRM implemented program is different from how metrics traditionally are looked at in many security programs. Then you will dig into some specifics of how to present risk-based data and information to your direct management, strategic partners, and executives to allow them to monitor and measure the success of the ESRM program.

This chapter will help you to:

  • Understand the different reports and metrics to use to communicate with different audiences.
  • Build effective metrics and reports for measuring your ESRM program.
  • Tailor your message so that it neither over-communicates nor under-communicates to your intended audience.
  • Build strategic reports that your partners and leaders can use to understand their risk condition.

22.1 Why are Security Metrics Important?

Security metrics are important because a risk-based security program is centered on the need for business leaders to set risk tolerance, making risk decisions to ensure that the business is operating within that tolerance. Thus, a key piece of your ongoing ESRM program is to continually communicate the status of all enterprise security risk as it relates to the set tolerance. Besides that, in almost every business organization, the bedrock upon which most strategic and tactical decisions are made is made up of the daily, weekly, monthly, quarterly, and annual reports that go from the lowest levels of the organization up to the highest. Your message needs to be clearly and appropriately crafted to show your audiences exactly what they need to know about the status of security risk as it pertains to them and the decisions they need to make.

Of course, not all your audiences need the same information. Some of the people you need to communicate to are making more tactical choices and will need more task-oriented details. These audiences might include:

  • The functional leaders to whom security reports, who control the budget, payroll, and expenses for the security group.
  • Asset owners, who provide direct financial support for some of the risk mitigation activities that the security team carries out.
  • Security department personnel, who need to understand what others in the security department are doing.
  • Procurement teams, who work on hardware, software, and personnel contracts for the security team.

Those groups need a different level of data and information than audiences who operate with a more strategic outlook for the enterprise:

  • The board of directors or other leadership/owner group, tasked with ensuring oversight of all enterprise risk.
  • Company senior executives, who need to understand the overall security risk picture.
  • The security council, who will want to understand how the program is managing various security risks, and how the risk tolerances are being maintained.
  • Your functional area strategic partners in the enterprise, who will need to know the status of the security risks impacting their area.

Questions for the Security Practitioner

  • “What security metrics and reports do I currently build? Do I think that the audience reading them can use any of it to make business decisions?”
  • “What are the security aspects that I would like to make my stakeholders aware of? Am I conveying what I want them to know in my reports?

Regardless of the audience, in an ESRM environment, you will report on risks or groups of risks that are:

  • Associated with an asset or departmental group of assets.
  • Tied to the risk interests, concerns, and the appropriateness of the risk owner or stakeholder.
  • Applied to a business-defined risk tolerance.

Such reporting will drive the metrics that you deliver in a contextual way, focused on audience needs…