The philosophy of Enterprise Security Risk Management or ESRM encourages businesses to recognize that security-related tasks affect all areas of commerce. Security is not and should not be an after-thought nor should it be a fragmented effort.
In essence, ESRM advocates adopting a proactive and continuous risk management principle rather than a passive one. More importantly, one of the keys to adopting an ESRM mindset is to have everyone in the company on board with this approach.
Security should not exclusively be a concern for security personnel, rather it requires the entire organization to take on a holistic approach to security. Everyone involved in the business should be made aware of the inherent risks associated with their actions.
Security experts weigh in
Over the course of several years, we’ve spoken to a few security experts and businesses alike to gather their thoughts on what ESRM is exactly and asked them tough questions like, how do you implement this “big-picture security mindset?” And do we need to adopt this approach at all?
Read on to find out what they said.
Rachelle Loyear: 3 Steps to ESRM
Rachelle is a staunch advocate of ESRM. She believes that it entails a lot of things. In its simplest form, it means “taking a risk management” approach to security which requires recognition of the fact that security is an everyday risk that needs to be mitigated.
Offering a roadmap of sorts to undertake an ESRM approach, Rachelle outlines that the first step is understanding what you have to keep safe. Why? Because you can’t keep something safe that you don’t know or understand. She advises that you must have a very thorough understanding of your business: what it does, what its mission is, what its critical functions are.
The second step is to build relationships in the organization, because if you’re not talking to your coworkers or other leaders of other departments then you don’t know what’s important to them. If you’re not communicating then you’re guessing what their needs are and what they need to protect.
Lastly, you need to understand that you can’t protect everything, but you need to protect what keeps the organization running. Ideally, you would protect everything and you would make your entire organization resilient. In the event of an incident, you want every department to recuperate and come back in a 24-hour timeframe. But not every asset has to come back in order for the organization to be resilient. That’s why in the third step, you have to understand the moving parts of your organization and what the risk and asset prioritization is.
Phil Ingram, MBE: ESRM has transformative powers
In a recent TrackTik blog, UK security expert Phil Ingram says that ‘physical security becomes even more powerful when its mission and objectives are aligned to those of the business whose assets and activities it’s there to protect.’ This echoes what Rachelle points out earlier and coincidentally it is also the original vision of what Enterprise Security Risk Management (ESRM) was intended to be. Phil goes on to add that it will also take security operations further by transforming operations from a ‘necessary evil’ to a value-added function.
Richard Latham: ESRM in practice
In a conversation exchanged between Phil Ingram and Richard Latham, a former Head of Security at the iconic London O2 arena, another important consideration to the ESRM objective came forth. Richard believes that security staff are an integral part of the customer experience (as he noticed in the O2 arena). His staff were not just an afterthought added to the event. This drove Richard to align his security needs with providing an enjoyable customer experience, which is why in terms of security staffing he would, for example, need security personnel with experience dealing with the public and the associated soft skills.
This level of consideration of security staff and alignment to the overall business of the O2 arena is an example of how ingrained security can be to an organization.
Tim McCreight: ESRM will professionalize security
Tim McCreight is one of the loudest voices in the ESRM corner. According to him, “ESRM is a philosophy and framework that will change the way we operate as security professionals.” He also feels that the successful adoption of ESRM as an ASIS and industry standard will lead to the evolution of security and it will no longer be viewed as a trade but instead viewed as a profession supported by experts. He goes on to add that “through the professionalization of the security industry, the role of security and security professionals will transform from the operational to the strategic.”
The ESRM mindset
The general consensus is that through an ESRM mindset, security can become part of the executive conversation and get the proverbial ‘seat at the table’ that everyone is looking for.
As customer expectations for security service providers continue to grow, security personnel are increasingly expected to go beyond being a traditional ‘guard at a gate.’ Today, they’re increasingly expected to contribute to business value. These expectations create a supportive environment for the professionalisation of security and ESRM.