Improving Security Risk Management

Article excerpt

A case for enterprise risk management

THE security industry is moving towards placing greater importance on risk management, especially where it converges with security management. This reality will eventually affect all security professionals at all levels of an organization: it will change the way we think about our jobs and the way we communicate what we do for our organizations. In some cases, it will require that we acquire and apply new skills. To be successful, we will also need to find and employ better tools.

The View From The Top

ASIS International is the preeminent global association of security professionals. In April 2011, their CSO (Chief Security Officer) Roundtable published How Great Risks Lead to Great Deeds: A Benchmarking Survey and White Paper, which surveyed of 80 CSOs and 200 security professionals indicated 80 percent of those organizations have formalized their risk analysis processes. For instance, 50 percent of those participating in the survey stated they have a regulatory mandate to conduct enterprise risk management (ERM). ERM is a framework that includes the methods and processes that drive risk management for an entire organization, including managing risks and leveraging opportunities. Those "highest risks" within the organization often must be communicated to the Board, and likewise disclosed to stakeholders.

Intellectual leaders at the Security Executive Council echo the survey's results and state that ERM is one of the universal issues that will come to significandy impact the security industry. ERM is not a new concept, but senior security professionals' participation in the ERM process is more recent and on the rise.

For any organization to determine its highest, or ifboard level," security risks, it must assess and know about security risks from its various business units, as well as those security risks from within the corporate offices. That would seem easy enough. Yet, the key question is often not IF one should perform security risk assessments, but rather how one does them. Is everyone even using a common methodology? That challenge is magnified for multinationals or organizations operating in dozens of countries, with different languages and different levels of maturity and basic understanding of risk management.

The Quest for a Common Methodology

While many security professionals have recognized the importance of using risk management practices in daily duties, only recendy has a consensus regarding a common methodology come forth. ISO 31000 - Risk Management - Principles and Guidelines is the most recent international standard on the general subject of risk management. Published in November 2009, it is a relatively new publication. It is intended to be a broad-based tfbest practice" that can be applied to a "wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets," and "applied to any type of risk, whatever its nature, whether having positive or negative consequences." This standard is accompanied by ISO 31010 - Risk Management - Risk Assessment techniques.

In drilling down from the macro (ERM or ESRM) toward the micro (Performing a Security Risk Assessment), ASIS already has a guideline entided ASIS General Security Risk Assessment Guideline. According to the guideline, it "provides a seven- step process that creates a methodology by which security risks at a specific location can be identified and communicated." Although it was published in 2003, predating ISO- 3 1000, many of the tenets in this seven- step process are consistent with the new ISO standard. ASIS is also now forming a committee to develop a new Risk Assessment Standard (201X). According to Dr. Marc H. Siegel, Commissioner of the Global Standards Initiative at ASIS International, this new ASIS Standard "will be aligned with the ISO31000." All indicators seem to point to the new ISO- 3 1000 standard becoming that base for a common methodology.

Challenges in the Application of Security Risk Management Principles

Even with an industry trending toward risk management and a common methodology, there remain challenges in accepting and applying these principles. A colleague, who is a CSO, recendy told me, "Statistics make my head hurt." He explained that thus far his security department has been able to opt out of participation in their corporate ERM process. As he opined, "Security is more like art and security risks really can't be calculated." I agree, in part, that applying principles of risk does require some "estimation" and that calculating the "probability of a future event," like any forecasting exercise, can be somewhat subjective. Often it requires using a "gut feeling," which might be more akin to "art" than science. So, the exercise of estimating risk does require a new skill set, one that can sometimes discomfort a professional security manager who has not yet acquired said ability.

However, I would disagree with a system in which the security department may "opt out" of the ERM process. Peter Drucker, a well-known management consultant, is often credited with the quote, "You can't manage what you don't measure." His quote is cited in an April survey from the consulting firm KPMG, "Risk Management - A Driver of Enterprise Value in the Emerging Environment." This recent survey highlights that there remain significant challenges within organizations when it comes to how risk management is understood and communicated. Specifically noted are the challenges in aggregating and quantifying risks, and embedding a risk culture within an organization. A security department operating as an island within an organization cannot, almost by definition, be maximally effective. The constandy changing and fluid nature of the new global environment demands integration and communication with the other sections of a company. Succeeding in tomorrow's security industry will require security professionals to buy into the concept of "risk management" and leam how to apply it in the security field. To be successful they will need to acquire the tools, skills and the necessary comfort level to accurately estimate risks: the probabilities that future security events might occur and what consequence events could have on your organization.

What to Look for When Leveraging Technological Solutions

If one seeks to improve security risk management, even when armed with a common methodology, technological "tools" may be desirable to effect change throughout the organization. Multinational corporations and other world-wide organizations need new tools to insure that security risk assessments done in Bangkok are done the same way, and to the same standard, as those done in Buenos Aires and Lagos. Those tools need to be user- friendly, saving time at the user-level, with the objective of producing as accurate an estimate of security risks as possible, reducing "subjectivity" along the way. To be of value to the organization, tools must enable better, more rapid communication of security risks, both horizontally and vertically, within the hierarchy - from the business unit to the Board - for faster, better decision making. These tools must also connect back into any given corporate ERM (or ESRM) processes. To enhance the security professional's effectiveness, technological solutions have to go beyond software that merely registers or reports a risk. As security professionals, we are charged with knowing as much as possible about the security environments in which we operate. The ASIS General Security Risk Assessment Guideline (2003) says one must look at the history of any area, which we call "situational awareness," and that the task begins with reviewing a number of sources of information, efficiently and continually. Tools like digital maps or GIS based applications can dramatically assist security professionals in this effort.

As the ASIS guideline indicates, most of those sources of information are local. The marketplace so far has focused on providing subscriptionbased information services. Those products provide a broad, overarching strategic account of "what is happening and where." Unfortunately, many of them often fail to provide and track the locally relevant tactical data in which one so desperately needs to have fidelity when it comes to security risk assessments. High quality tools will help guide an organization in the estimation and management of security risks when using an approved methodology - such as ASIS guidelines or ISO 31000. Those types of tools help bridge the gaps between language and risk culture within different operating environments to insure a more consistent and effective outcome within any organization.

A Final Thought

It is clear that in today's fast-paced and rapidly changing world the security professional's job is becoming more and more difficult and demanding. Yet, the means exist to convert that challenge into an opportunity to become more effective and more proactive workers, as well as more integrated with, and more integral to the overall organization.

[Sidebar]

"To be successful they will need to acquire the tools, skills and the necessary comfort level to accurately estimate risks: the probabilities that future security events might occur and what consequence events could have on your organization"

[Sidebar]

"As security professionals, we are charged with knowing as much as possible about the security environments in which we operate"

[Author Affiliation]

Mike Faessler is a retired US Army officer, and has previously worked as a government contractor, and most recently in the private sector as a global head of security within the mining sector. He is the President of Oversight Risk Consulting in Bogota, Colombia. Mark Morgan is the CIO for Oversight, and a veteran in the IT field with 30+ years experience in systems administration, programming, and IT management.