Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

Uncovering A New Level of Threats
You are here: Home \ Risk management \ Uncovering A New Level of Threats
Posted on Tuesday, February 14th, 2017 by

The Next Level

This article was originally published in Canadian Security Magazine on February 12, 2017. Read the full article here.

As I begin another year in the security industry, I’m hopeful that during 2017 we see our profession focus on Enterprise Security Risk Management, and that we begin the journey to identifying ourselves more closely as enterprise risk professionals.

 

Why Enterprise Security Risk Management?

ASIS International fuelled some of my optimism in November 2016 when they announced the resurrection of Enterprise Security Risk Management (ESRM) as a strategic priority for ASIS and its members worldwide. As a new member of the ASIS Board of Directors, I’m encouraged to see the focus on addressing risks across an enterprise, and how a security program can positively affect the risk posture of an organization while enabling business objectives through the treatment of risk. For those who’ve read this column over the past couple of years, you know where my passion lies — helping an organization achieve its objectives by identifying risks, and either accepting these risks or working out strategies to mitigate the risks.

I’m hoping this renewed focus on ESRM triggers new conversations amongst security professionals, and in turn begins deeper dialogues with executives in organizations regarding enterprise risks. Security professionals will soon see new material on how ESRM principles can be incorporated into a holistic security program, and how discussions with senior leadership regarding risks and risk treatment can be an amazing avenue for greater collaboration across the enterprise.

 

Opportunities and Limitations

This program isn’t a panacea for the security industry, and it will not help resolve every risk facing every organization. On the contrary, this realignment toward ESRM principles and practices will have the opposite effect — more risks will undoubtedly be uncovered in organizations, and from different areas of the organization than typically addressed by a “stove pipe” approach to security.

Security organizations cannot operate in one or two silos, hoping to make their portion of the enterprise “secure.” Security programs cannot be successful if they only address a portion of the enterprise, and do not address risks from a holistic perspective. Throughout the history of this column, I’ve provided personal examples of what can go wrong with a risk assessment, or a security program, if you only focus on immediate issues, and don’t look at risks from a more strategic perspective.

 

The Future of Information Security

We are entering into a new time for our profession. Recent headlines across the globe have documented what can go wrong when risks are not identified, or their potential impacts are not understood. From terrorist strikes to ransomware attacks to concerns about altering election outcomes, we were exposed to a variety of security events in the past few years. I believe we have moved into a new level of threat — the subtle threats to organizations that mask themselves as something entirely benign, but with the potential to critically impact an organization.

 

In Closing

As ASIS International begins its journey back along the ESRM path, I am positive this journey is the right one for our profession to take. I also feel it is the right time, and that myself and other Board of Director members are fully engaged and supportive of this initiative for ASIS and its members.

We need to be engaged at a different level within our organizations, looking at enterprise level risks that require a collaborative approach to assess and understand the potential impacts to the organizations in our care. I think we have a chance to start making a real difference in our organizations if we can embrace the ESRM philosophy and approach.

 


Learning How Hackers Hack

Tim McCreight
About author:
Tim McCreight is the Director of Strategic Alliances for Hitachi Systems Security.Prior to joining Hitachi Systems Security, Tim acquired over 30 years in the security industry with leadership experience in both the physical and information security realms. He held executive positions at a number of organizations, notably as the Chief Information Security Officer (CISO) for the Government of Alberta and as Director, Enterprise Information Security for Suncor Energy Services Inc.Tim has presented as a keynote speaker at conferences across North America on such diverse topics as enterprise risk management, converged security, and implementing enterprise information security programs. Tim was awarded his Master of Science in Security and Risk Management (with Merit) from the University of Leicester and attained his CISSP, CPP, and CISA security designations.Tim was interviewed by Canadian Security Magazine in 2011 for his work as CISO with the Government of Alberta, and is a regular columnist for the magazine. Tim is also the international Chair for the Information Technology Security Council with ASIS International.

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now

Subscribe

Recent Videos

What is Penetration Testing?

What is a Vulnerability Assessment?

What is a Control Assessment?


More