Pinkerton has been a pioneer in its holistic approach to Enterprise Security Risk Management (ESRM) best practices with its creation of the Risk Wheel back in 2012. More than ever, having a total risk perspective is critical in an increasingly connected threat landscape. ASIS International, the leading association for security management professionals worldwide, recently named Enterprise Security Risk Management (ESRM) as a top priority.
But what is enterprise security? And why is it so important now? Pinkerton President Jack Zahran and Vice President Rick Gurley provide their perspective in this post.
What Is Enterprise Security Risk Management (ESRM)?
ASIS defines Enterprise Security Risk Management as “a management process used to effectively manage security risks, both proactively and reactively, across an enterprise. Enterprise security risk management continuously assesses the full scope of security-related risks to an organization and within the enterprise’s complete portfolio of assets. The management process quantifies threats, establishes mitigation plans, identifies risk acceptance practices, manages incidents, and guides risk owners in developing remediation efforts.”
“We call that a holistic approach to security, something we’ve been discussing with our clients for the past five or more years,” says Zahran. “What defines the enterprise and the trends affecting the enterprise are changing as the world gets more connected. No longer are facilities, departments or even employees operating as stand-alone operations. They are increasingly interconnected and with that comes increased threats to a company’s operation. The enterprise has to be looked at that way with security as a top priority.”
Take trends in the automotive industry as an example. A large OEM operates internationally, with facilities on nearly every continent. Historically, most OEMs distribute vehicles using several different brands. Each brand would create strategies and operational tactics that were mostly independent of each other. The brands would operate as a silo with their own operational structure, procedures and security protocols. Today, however, a more centralized approach to enterprise security is needed as companies meet the challenge of staying ahead of global, regional and local threats to their brand and physical assets.
“Continuity is the key driver,” says Zahran. “Strategic initiatives at the top level need to be implemented at the local levels and across multiple brands. Often, those strategies compete with normal business operations. The big picture plan ignores the individual tactics that have to happen at the facility level. Most companies don’t have the resources to establish this kind of centralized security position.”
Enterprise security can’t happen overnight
As ASIS acknowledged in its announcement, the “siloed” approach to security will no longer effective due to global interconnectivity. But moving to a holistic security approach with centralized strategies and tactics management will not happen overnight for most companies. “Developing a centralized enterprise security operation that can anticipate global operational threats before they become real risks is a large undertaking,” Zahran explains. “It takes a new skill set and a network of intelligence-gathering procedures to ensure that intel is up-to-date and actionable.”
“There has to be a level between where strategies are developed and how they get implemented,” said Gurley. “For example, companies may see the benefits of every employee having a company issued phone so that communication can flow easier and efficiencies increased. However, the exposure this creates to potential hacks and other brand reputation issues has to be considered up front with plans to mitigate risks. A centralized security operation that is ‘at the table’ when plans are made is critical.”
The key to enterprise security: agility and specialization
“Put up a gate and post a guard.”
That old scenario for what a company should do when bringing a new facility online just doesn’t work anymore in the face of current trends. Threats exist on many more levels today. “The Internet of Things is just one example,” says Gurley. “Cars that salespeople drive are becoming far more connected, which delivers many benefits to the employee and the employer. It also creates an opportunity for risks, like the vehicle being overtaken by hackers and controlled remotely as an act of terrorism. Car manufacturers, excited to create the next best state-of-the-art vehicle have to anticipate security issues like these well before they become reality.”
“Agility is the top requirement of today’s security organizations,” stresses Zahran. “Gathering intelligence in real-time and getting it to those who can act upon it is more important than ever. Being able to implement changes rapidly and effectively is key. A brand’s reputation can be damaged so much more quickly today, causing short and long-term losses of business if not handled with great agility.”
“Enterprise Security Risk Management also requires specialization throughout an organization’s security operation. Generalists can’t see as far out into the future as those specializing in certain disciplines, tactics, regions, and cultures. Understanding the four quadrants of risk and how they will be impacted by strategies and tactics is imperative.”
ASIS is right to adopt the Enterprise Security Risk Management approach as a top priority. It is critical to having an effective program.
Learn more about how Pinkerton approaches Enterprise Security Risk Management Services (ESRM)