Enterprise Security Risk Management (ESRM) is a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally established and accepted risk management principles. ASIS International launched a guideline to ESRM in 2019 that explains in detail how that strategic approach works and how to implement it. You can access information about that guideline here
This article will serve as the foundation for the Security Magazine InfoCenter on ESRM. The InfoCenter will focus on why security organizations should embrace the risk-based approach to security that ESRM codifies. We will also explore different aspects of ESRM, and strategies for implementing and supporting a risk-based approach to security in your organization.
The heart of ESRM and the key to gaining the business benefits of taking a risk-based approach to security is that the security professionals and the asset owners share security responsibilities. Even though all final security decisions are the responsibility of the asset owner, the people whose assets are being protected and who, as the owners of the exposure usually also own the budget to protect the assets. With that key focus in mind, this article frames the underlying philosophy of ESRM that we will assume through all of the material in this infocenter.
What Drives ESRM?
ESRM is partnership:
- ESRM recognizes that security responsibilities are shared by both security and business leadership, but that all final security decision making is the responsibility of the business leaders.
- The role of the security leader in ESRM is to manage security vulnerabilities to enterprise assets in a risk decision making partnership with the organization leaders in charge of those assets.
ESRM is holistic and inclusive:
- A mature ESRM program encompasses all aspects of security risk mitigation practices to prevent security risk impacts to the enterprise.
- Value exists because the business owns the security risk. Therefore, we now provide business deliverables.
ESRM is participation:
- Managing the security decision-making process requires:
- Educating business partners on their risk exposures.
- Presenting potential security strategies to protect assets.
- Implementing the business leader’s decision.
- Documenting the residual risk and continuing to educate your business partners.
What Is ESRM?
The risk-based approach to managing security programs is based on the idea that you cannot protect what you do not understand. Understanding your organization, its mission, its needs and its priorities is the essence of the ESRM life cycle.
We are asking these questions of the business:
What do I need to protect?
What do I need to protect it from?
How can I best and most efficiently protect it?
Those questions can be answered by following the steps of the ESRM Life Cycle:
The ESRM Lifecycle
- Identify and Prioritize Assets: The process of identifying, understanding and prioritizing the enterprise’s assets.
- Identify and Prioritize Risks: Identifying, understanding, and prioritizing the security risks to the enterprise and their relationship to the assets value.
- Mitigate Prioritized Risks: Taking the necessary, appropriate and realistic steps to protect against the most serious security threats and risks.
- Continuous Improvement: The risk paradigm of managing security risks is a cyclical approach to continuously improve and advance the security posture of the enterprise.
If we keep those three basic business questions in mind, everything we do in our security programs will tie together in a chain of value to the business. Any activity we perform in security will be performed in response to an identified risk, all of our risks are tied directly to our critical assets and the value of the program is in ensuring that the organization does not experience harm to or loss of those assets that cause unacceptable hardships to the business.