Is security management changing so fast that you can’t keep up? Perhaps it seems like those traditional “best practices” in security no longer work? One answer might be that you need better best practices! In their new book, The Manager’s Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, two experienced professionals introduce ESRM. Their practical, organization-wide, integrated approach redefines the securing of an organization’s people and assets from being task-based to being risk-based.
In their careers, the authors, Brian Allen and Rachelle Loyear, have been instrumental in successfully reorganizing the way security is handled in major corporations. In this ground-breaking book, the authors begin by defining Enterprise Security Risk Management (ESRM):
“Enterprise security risk management is the application of fundamental risk principles to manage all security risks âˆ’ whether information, cyber, physical security, asset management, or business continuity âˆ’ in a comprehensive, holistic, all-encompassing approach.”
In the face of a continually evolving and increasingly risky global security landscape, this book takes you through the steps of putting ESRM into practice enterprise-wide, and helps you to:
Differentiate between traditional, task-based management and strategic, risk-based management.
See how adopting ESRM can lead to a more successful security program overall and enhance your own career.
Prepare your security organization to adopt an ESRM methodology.
Analyze and communicate risks and their root causes to all appropriate parties.
Identify what elements are necessary for long-term success of your ESRM program.
Ensure the proper governance of the security function in your enterprise.
Explain the value of security and ESRM to executives using useful metrics and reports.
Throughout the book, the authors provide a wealth of real-world case studies from a wide range of businesses and industries to help you overcome any blocks to acceptance as you design and roll out a new ESRM-based security program for your own workplace.
|Publisher:||Rothstein Associates Inc.|
|Product dimensions:||8.50(w) x 11.00(h) x 0.32(d)|
About the Author
Chief Security Officer (CSO) with Time Warner Cable (TWC), a leading multinational provider of telecommunications, information,
and entertainment services headquartered in New York City. In this role, he was responsible for protecting TWC's assets worldwide,
coordinating the company's crisis management and business continuity management (BCM) programs, managing TWC's cybersecurity policy and leading its security risk management program. He managed the company's security policy and relations with law enforcement and government authorities, as well as all customer security risk issues, oversaw internal and external investigations, and headed the company's workplace violence program. Before joining TWC in January 2002, he was Director of the Office of Cable Signal Theft at the National Cable and Telecommunications Association in Washington, D.C., and the owner of ACI Investigations, a multimillion-dollar provider of security guard, investigations, and consulting services.
Brian earned his Bachelor of Science degree in criminal justice from Long Island University and received his Juris Doctor degree from Touro Law Center in New York. He is a member of the
New York State Bar Association, a Certified Protection Professional (CPP) with ASIS, a
Certified Information Systems Security Professional (CISSP) with ISC2, a Certified Fraud
Examiner (CFE) with the ACFE and a Certified Information Security Manager (CISM) with
ISACA. Brian is also a member of the International Security Management Association and the
Association of Threat Assessment Professionals.
Brian is an Adjunct Professor at the University of Connecticut, School of Business MBA
Program and is active in industry organizations. He served as a member of the Communications Infrastructure Reliability and Interoperability Council (CSRIC), an FCC appointed position, and co-chaired its working group on Cybersecurity Best Practices and the Cybersecurity Framework.
He is also one of four elected communications company representatives to serve on the
Executive Committee of the US Communications Sector Coordinating Council (CSCC). He works with the Cross Sector Cybersecurity Working Group, established by the U.S. Department of Homeland Security (DHS) under the Critical Infrastructure Partnership Advisory Council.
Brian has served on the board of directors of ASIS International, and the board of trustees of
ASIS International's Foundation. He is currently a member of the Board of Directors of the
Domestic Violence Crisis Center in Connecticut.
Rachelle Loyear has spent over a decade managing various projects and programs in corporate security organizations,
focusing strongly on business continuity and organizational resilience. In her work life, she has directed teams responsible for ensuring resilience in the face of many different types of security risks, both physical and logical. Her responsibilities have included: Security/BCM program design and development; crisis management and emergency response planning; functional and location-based recovery and continuity planning; crisis management and continuity training and operational continuity exercises; and logistical programs, such as public/private partnership relationship management and crisis recovery resource programs.
She began her career in information technology (IT), working in programming and training design at an online training company, prior before moving into the telecommunications industry.
She has worked in various IT roles - including Web design, user experience, business analysis,
and project management - before moving into the security/business continuity arena. This diverse background enables her to approach security, risk, business continuity, and disaster recovery with a broad methodology that melds many aspects into a cohesive whole.
Rachelle holds a bachelor's degree in history from the University of North Carolina at Charlotte,
and a master's degree in business administration from the University of Phoenix. She is certified as a Master Business Continuity Professional (MBCP) through DRI International, as an
Associate Fellow of Business Continuity International (AFBCI), as a Certified Information
Security Manager (CISM) through ISACA, and as a Project Management Professional (PMP)
through the Project Management Institute (PMI). She is active in multiple BCM industry groups and is vice-chair of the Crisis Management and Business Continuity Council of ASIS
International as well as serving on the IT Security Council.
Kristen Noakes-Fry, ABCI, is Executive Editor at Rothstein Publishing. Previously, she was a Research Director, Information Security and Risk Group, for Gartner, Inc.; Associate
Editor at Datapro (McGraw-Hill), where she was responsible for Datapro Reports on
Information Security; and Associate Professor of English at Atlantic Cape College in New
Jersey. She holds an M.A. from New York University and a B.A. from Russell Sage College.
Table of Contents
Part 1: What Is Enterprise Security Risk Management (ESRM) And How Can It Help
1. What is Enterprise Security Risk Management (ESRM)? 3
1.1 ESRM Defined 3
1.2 How is ESRM Different from Traditional Security? 5
1.3 What is ESRM? − A Closer Look 6
1.4 What ESRM Is – and What It Is Not 8
2. Why Does the Security Industry Need ESRM? 14
2.1 Why Does the Traditional Approach to Security Frustrate So Many People? 14
2.2 What Do We Mean by “Traditional” Security vs. ESRM? 18
2.3 The Security Professional and the Business Leader: Moving Beyond Frustration with One Another 24
2.4 ESRM-Based Security: Moving from Task Management to Risk Management 26
2.5 The ESRM Solution: A New Philosophy 27
2.6 ESRM as a Path to Security Success 28
Part 2: Implementing an ESRM Program 32
3. Preparing to Implement an ESRM Program 34
3.1 Begin by Working to Understand the Business and Its Mission 34
3.2 Understanding Your Stakeholders − and Why They Ma er 43
4. Following the ESRM Life Cycle 50
4.1 What is the ESRM Life Cycle? 50
4.2 Step 1: Identify and Prioritize Assets 53
4.2.4 How Do You Prioritize Assets for Protection? 57
4.3 Step 2: Identify and Prioritize Risks 58
4.4 Step 3: Mitigate Prioritized Risks 64
4.5 Step 4: Improve and Advance 66
5. Phased Rollout 70
5.1 Design Thinking – A Conceptual Model for Your ESRM Program 70
5.2 Iterative ESRM Program Rollout in a Formal Design Thinking Model 73
5.3 ESRM Program Rollout Checklist 77
Part 3: Ensuring Long-Term ESRM Success 82
6. Essentials for Success 84
6.1 Transparency 85
6.2 Independence 88
6.3 Authority 91
6.4 Scope 93
7. ESRM Governance, Metrics, and Reporting 96
7.1 What is Corporate Governance? 96
7.2 How Does Corporate Governance Apply to ESRM? 102
7.3 The Security Council’s Role in ESRM 102
7.4 Setting Up a Security Council 105
8. Where Should Security Report in an Organization Structure? 108
8.1 Reporting Options 108
8.2 What Does Security Need to Be Successful? 109
8.3 Some Lines of Reporting Carry Obvious Conflicts 109
8.4 Greatest Success Comes with the Greatest Independence 110
9. What Do Executives Need to Know About ESRM? 112
9.1 The Challenge of Executive Support 112
9.2 Communicating ESRM Concepts to the Executive 113
9.3 For the Executive: What is Your Role in Supporting an ESRM Security Structure? 117
9.4 For the Executive: What Should You Expect from the ESRM Program? 120
10. Reports and Metrics 122
10.1 Metrics of Risk Tolerance 122
10.2 Metrics of Security Department Efficiency 125
10.3 Communicating to an Executive Audience 125
10.4 A Look into the Future – A Successful ESRM Program 125
About the Authors 133