What if I told you that for a mere ten dollars a week, you could have a more successful and respected security organization? For the price a few cups of coffee a week – would that be worth it?
I’ve noticed that security programs of all sizes, across different industries, experience a similar frustration. That omnipresent tension with the business we serve. The irritating friction that leaves security departments uneasy.
I’ve come to believe that: Lack of vision + Lack of understanding x Lack of meaningful feedback = Inconsistency and frustration.
Properly understood, ESRM (enterprise security risk management) provides an excellent framework to study the organization you serve and create alignment that reduces this inconsistency and frustration, fostering transparency and trust. Your first cup of coffee should be with the key management within your security organization to align on the answer to a few basic questions. Actually, this might require a couple jugs of coffee and a few boxes of donuts…
The answers to this question will likely vary and be quite specific to the function each person manages. This is a great crowd sourcing exercise to gauge the understanding of your management team as to what security’s role within the organization is.
This should be an ongoing discussion over several months as it is important to put thought into this idea, create an overarching definition that allows space for the individual functions of the programs within security.
ESRM’s definition of the role of security would be something like this: ‘Security manages the enterprise’s security risks using basic risk principles’.
This high level definition allows space for scope to be created, but there will be a lot of questions from the business about what this means. So, we will have to gather more information so we can educate them in the future.
What is security’s mission statement? Does it align and in some ways mirror the Mission Statement of the Organization? Is it approved? Who approves these things?
This is a great process to get started. Having a mission statement that accurately portrays the role security plays in the business is essential and the right decision makers have to align and agree with it, which will end up being its own series of coffees. If your security organization will have the authority to work in its role with independence – similar to legal, HR and audit – this is crucial.
Who are our business partners? How are they prioritized? How often do we communicate with them and what initiates the communication? What is the normal nature and tone of these interaction? Do we keep a history of incidents and feedback with each partner?
Having a common, measurable understanding of where you stand with the most important business units is crucial if you want to establish a foundation to build measurable results upon.
As you align and document security’s perspective on these questions and the issues surrounding them, it’s time to build a plan to engage your business partners in a methodical manner to understand their perspective on these key questions.
The ESRM Cycle begins by identifying and prioritizing assets. Stakeholders in the business are key assets. Set your priorities and send coffee invites. I usually tell them:
“We’re doing a quality audit of how we’re delivering on our commitments to our prime stakeholders. I would love to grab coffee with you to discuss your experiences with us and how we might improve our service to you.”
As you meet with these stakeholders you will be trying to understand THEIR perspective on the following questions:
Thank them for their time and honesty. Set up a recurring cadence that allows you time to work through the feedback they have provided.
This is the beginning of your Gap Analysis. Over several months you will understand security’s perspective vs the business’ perspective. You will document a track record of delivery. You will understand where communication breakdowns are happening. Most importantly, as you continue to work through, you will remediate and educate with your business partners.
This is the process of establishing the context in which an ESRM program and a security organization can thrive.
Without the proper alignment and buy-in from key stakeholders, we will not be granted the authority, scope and independence to examine, consult on and manage security Risk no matter where it manifests itself throughout the enterprise.
This article was originally published in the December edition of Security Journal Americas. To read your FREE digital edition, click here.