The Manager's Guide to Enterprise Security Risk Management
Description
Is security management changing so fast that you can't keep up? Perhaps it seems like those traditional "best practices" in security no longer work? One answer might be that you need better best practices! In their new book, The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security, two experienced professionals introduce ESRM. Their practical, organization-wide, integrated approach redefines the securing of an organization's people and assets from being task-based to being risk-based.
In their careers, the authors, Brian Allen and Rachelle Loyear, have been instrumental in successfully reorganizing the way security is handled in major corporations. In this ground-breaking book, the authors begin by defining Enterprise Security Risk Management (ESRM):
"Enterprise security risk management is the application of fundamental risk principles to manage all security risks - whether information, cyber, physical security, asset management, or business continuity - in a comprehensive, holistic, all-encompassing approach."
In the face of a continually evolving and increasingly risky global security landscape, this book takes you through the steps of putting ESRM into practice enterprise-wide, and helps you to:
- Differentiate between traditional, task-based management and strategic, risk-based management.
- See how adopting ESRM can lead to a more successful security program overall and enhance your own career. .
- Prepare your security organization to adopt an ESRM methodology. .
- Analyze and communicate risks and their root causes to all appropriate parties. .
- Identify what elements are necessary for long-term success of your ESRM program. .
- Ensure the proper governance of the security function in your enterprise. .
- Explain the value of security and ESRM to executives using useful metrics and reports. .
Throughout the book, the authors provide a wealth of real-world case studies from a wide range of businesses and industries to help you overcome any blocks to acceptance as you design and roll out a new ESRM-based security program for your own workplace.
More details
Persons
Brian J. Allen has more than 20 years' experience in virtually every aspect of the security field. He most recently held the position of Chief Security Officer (CSO) with Time Warner Cable (TWC), a leading multinational provider of telecommunications, information, and entertainment services headquartered in New York City. In this role, he was responsible for protecting TWC's assets worldwide, coordinating the company's crisis management and business continuity management (BCM) programs, managing TWC's cybersecurity policy and leading its security risk management program. He managed the company's security policy and relations with law enforcement and government authorities, as well as all customer security risk issues, oversaw internal and external investigations, and headed the company's workplace violence program. Before joining TWC in January 2002, he was Director of the Office of Cable Signal Theft at the National Cable and Telecommunications Association in Washington, D.C., and the owner of ACI Investigations, a multimillion-dollar provider of security guard, investigations, and consulting services.
Brian earned his Bachelor of Science degree in criminal justice from Long Island University and received his Juris Doctor degree from Touro Law Center in New York. He is a member of the New York State Bar Association, a Certified Protection Professional (CPP) with ASIS, a Certified Information Systems Security Professional (CISSP) with ISC2, a Certified Fraud Examiner (CFE) with the ACFE and a Certified Information Security Manager (CISM) with ISACA. Brian is also a member of the International Security Management Association and the Association of Threat Assessment Professionals.
Brian is an Adjunct Professor at the University of Connecticut, School of Business MBA Program and is active in industry organizations. He served as a member of the Communications Infrastructure Reliability and Interoperability Council (CSRIC), an FCC appointed position, and co-chaired its working group on Cybersecurity Best Practices and the Cybersecurity Framework. He is also one of four elected communications company representatives to serve on the Executive Committee of the US Communications Sector Coordinating Council (CSCC). He works with the Cross Sector Cybersecurity Working Group, established by the U.S. Department of Homeland Security (DHS) under the Critical Infrastructure Partnership Advisory Council. Brian has served on the board of directors of ASIS International, and the board of trustees of ASIS International's Foundation. He is currently a member of the Board of Directors of the Domestic Violence Crisis Center in Connecticut.
Content
- Intro
- Title page
- Copyright
- Part 1
- Chapter 1: What is Enterprise Security Risk Management (ESRM)?
- 1.1 ESRM Defined
- 1.1.1 Enterprise
- 1.1.2 Security Risk
- 1.1.3 Risk Principles
- 1.2 How is ESRM Different from Traditional Security?
- 1.2.1 Traditional Corporate Security Scenarios: Something is Missing
- 1.3 What is ESRM? - A Closer Look
- 1.3.1 The Phases of the ESRM Life Cycle
- 1.3.2 Managing Risk in a Life Cycle
- 1.4 What ESRM Is - and What It Is Not
- 1.4.1 ESRM Mission and Goals
- 1.4.1.1 Enterprise Risk Management: A Brief Overview
- 1.4.2 ESRM vs. Security Organization Convergence
- Chapter 2: Why Does the Security Industry Need ESRM?
- 2.1 Why Does the Traditional Approach to Security Frustrate So Many People?
- 2.1.1 The Missing Network Switch: A Story of Security Frustration in a Traditional Security Environment
- 2.1.2 The Missing Network Switch: A Story of Security Partnership in an ESRM Security Environment
- 2.1.3 The Missing Network Switch: Lessons Learned and the ESRM Difference
- 2.2 What Do We Mean by "Traditional" Security vs. ESRM?
- 2.2.1 What Does Security Do? The Traditional View
- 2.2.1.1 The Answer from the Security Practitioner
- 2.2.1.2 The Answer from the Board of Directors and Senior Executives
- 2.2.1.3 The Answer from Operational Personnel
- 2.2.2 Why the Security Industry Needs to Define "Security"
- 2.2.3 What Does Security Do? The ESRM View
- 2.2.3.1 Managing Security Risks
- 2.2.3.2 Basic Risk Principles
- 2.3 The Security Professional and the Business Leader: Moving Beyond Frustration with One Another
- 2.4 ESRM-Based Security: Moving from Task Management to Risk Management
- 2.4.1 Task Management
- 2.4.2 Risk Management
- 2.5 The ESRM Solution: A New Philosophy
- 2.5.1 Security Becomes Strategic
- 2.5.2 Security Becomes a Business Function
- 2.6 ESRM as a Path to Security Success
- 2.6.1 What Does "Security Success" Look Like?
- 2.6.1.1 Success Is Not Just Measured by Numbers
- 2.6.1.2 In Security Success, Intangibles Are Important
- 2.6.1.3 Your Answers Create Your Definition of "Success"
- Part 2
- Chapter 3: Preparing to Implement an ESRM Program
- 3.1 Begin by Working to Understand the Business and Its Mission
- 3.1.1 What Are the Insiders Saying?
- 3.1.2 What is the Business Saying About Itself?
- 3.1.3 What Are Outsiders Saying?
- 3.1.4 What Isn't Being Said?
- 3.1.5 What Is the Environment the Enterprise Operates In?
- 3.1.6 Who Are the Environmental Decision-Makers?
- 3.2 Understanding Your Stakeholders - and Why They Matter
- 3.2.1 What Is a Stakeholder?
- 3.2.2 Why Should You Care About Stakeholders?
- 3.2.3 What Is the Role of the Stakeholders in ESRM?
- 3.2.4 Finding Your Stakeholders: A Closer Look
- 3.2.5 Example 1: Customer Personal Data - Whose Asset Is It?
- 3.2.6 Example 2: Customer Personal Data - Who Decides
- Chapter 4: Following the ESRM Life Cycle
- 4.1 What is the ESRM Life Cycle?
- 4.2 Step 1: Identify and Prioritize Assets
- 4.2.1 How Do You Identify Business Assets?
- 4.2.2 Who Really "Owns" an Asset?
- 4.2.3 How Do You Assign Value to Assets?
- 4.2.3.1 Simple Tangible Asset Valuation (Two Methods)
- 4.2.3.2 Complex Tangible Asset Valuation
- 4.2.3.3 Intangible Asset Valuation
- 4.2.3.4 Business Impact Analysis (BIA)
- 4.2.4 How Do You Prioritize Assets for Protection?
- 4.2.5 How Do You Deal with Conflicts in Asset Valuation and Prioritization?
- 4.3 Step 2: Identify and Prioritize Risks
- 4.3.1 How Do You Assess Risk?
- 4.3.2 How Do You Find All the Risks?
- 4.3.3 How Do You Prioritize Risk?
- 4.4 Step 3: Mitigate Prioritized Risks
- 4.4.1 Risk Treatment Options
- 4.4.2 Who Has the Final Word on Risk Mitigation?
- 4.5 Step 4: Improve and Advance
- 4.5.1 Incident Response
- 4.5.2 Root Cause Analysis
- 4.5.3 Ongoing Security Risk Assessment
- Chapter 5: Phased Rollout
- 5.1 Design Thinking - A Conceptual Model for Your ESRM Program
- 5.1.1 The Phases of Design Thinking
- 5.1.1.1 Empathy
- 5.1.1.2 Definition
- 5.1.1.3 Ideation/Brainstorming
- 5.1.1.4 Prototyping
- 5.1.1.5 Testing
- 5.2 Iterative ESRM Program Rollout in a Formal Design Thinking Model
- 5.2.1 Educate and Involve (Empathy)
- 5.2.2 Iterate (Your Definition and Prototypes)
- 5.2.3 Mature the Process (Testing/Feedback)
- 5.2.4 Expand (Begin the Design Thinking Process Again with a Larger Scope)
- 5.3 ESRM Program Rollout Checklist
- Part 3
- Chapter 6: Essentials for Success
- 6.1 Transparency
- 6.1.1 Process Transparency
- 6.1.2 Risk Transparency
- 6.2 Independence
- 6.3 Authority
- 6.4 Scope
- 6.4.1 Example: Risk Management in Scope with Mitigation Actions by Security
- 6.4.2 Example: Risk Management in Scope with Mitigation Actions by the Business
- Chapter 7: ESRM Governance, Metrics, and Reporting
- 7.1 What is Corporate Governance?
- 7.1.1 Why Corporate Governance Is Complex
- 7.1.2 Importance of OECD Guidelines
- 7.2 How Does Corporate Governance Apply to ESRM?
- 7.3 The Security Council's Role in ESRM
- 7.4 Setting Up a Security Council
- 7.4.1 Security's Role on the Security Council: What It Is and What It Is Not
- 7.4.1.1 What the Role of the Security Practitioner Is
- 7.4.1.2 What the Role of the Security Practitioner Is Not
- Chapter 8: Where Should Security Report in an Organization Structure?
- 8.1 Reporting Options
- 8.2 What Does Security Need to Be Successful?
- 8.3 Some Lines of Reporting Carry Obvious Conflicts
- 8.4 Greatest Success Comes with the Greatest Independence
- Chapter 9: What Do Executives Need to Know About ESRM?
- 9.1 The Challenge of Executive Support
- 9.2 Communicating ESRM Concepts to the Executive
- 9.2.1 For the Executive: Understand the Underlying Philosophy of ESRM and the Role of Security
- 9.2.2 For the Executive: Understand ESRM Parallels with Other Risk-Based Functions
- 9.2.2.1 For the Security Practitioner: What Are Audit, Legal, and Compliance?
- 9.2.2.2 For the Security Practitioner: What Do Audit, Legal, and Compliance Functions Need for Success?
- 9.3 For the Executive: What is Your Role in Supporting an ESRM Security Structure?
- 9.3.1 Ensuring a Definition of Security Success
- 9.3.2 Ensuring the Correct Security Skill Sets
- 9.3.3 Ensuring the Essentials for Success Are in Place
- 9.3.4 Ensuring the Correct Reporting Structure
- 9.3.5 Ensuring the Board or Enterprise Ownership is Aware of the Role of Security and Security Risks as a Business-Critical Topic
- 9.4 For the Executive: What Should You Expect from the ESRM Program?
- Chapter 10: Reports and Metrics
- 10.1 Metrics of Risk Tolerance
- 10.1.1 Example of a Security Report
- 10.1.1.1 Planning the Report
- 10.1.1.2 Building the Report
- 10.2 Metrics of Security Department Efficiency
- 10.3 Communicating to an Executive Audience
- 10.4 A Look into the Future - A Successful ESRM Program
- References
- Credits
- About the Authors
- More from Publisher
