Strategic Security News. Real ThreatsGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-01T04:00:00Z<p>​In November 2016, a man armed himself with an assault rifle and drove six hours from North Carolina to Washington, D.C. His goal was to storm Comet Ping Pong, a D.C. pizza restaurant, and rescue children being held captive and abused by Hillary Clinton. Once inside, the man fired on the restaurant, but no one was hurt. </p><p>The Comet Ping Pong story was one of many deliberately false news stories circulating in 2016. After the story was exposed as a hoax, “a post on Twitter by Representative Steven Smith of the 15th District of Georgia—not a real lawmaker and not a real district—warned that what was fake was the information being peddled by the mainstream media. It was retweeted dozens of times,” according to The New York Times.</p><p>The concept of fake news entered the popular vocabulary during the U.S. presidential election in 2016. While intentionally spreading false news reports for financial, political, or psychological reasons is not a new phenomenon, the practice has expanded significantly in the last year. During the particularly divisive U.S. election, numerous hyper-partisan blogs and websites posted a wide range of rumors, conspiracy theories, and fabrications, which have collectively been labeled fake news. Far from its original meaning—articles that are blatantly untrue—the term fake news has been embraced by all sides of the political divide to denigrate reporting that they feel is biased or incomplete.</p><p>While primarily political in nature, fake news has been used against various organizations and poses a real and increasing threat to private sector organizations of all sizes. It is important for security professionals to explore the relationship between fake news and corporate security, and determine how they can begin to address the threats posed by the release of false news and information.</p><h4>Transmission<br></h4><p>There has been an explosion in the creation and distribution of fake news through various online channels, including blogs, websites, discussion forums, and especially social media platforms. According to a 2017 survey, A Real Plague: Fake News, conducted by Weber Shandwick, Powell Tate, and KRC Research, approximately 7 in 10 American adults reported having read a fake news story in 2016. Research conducted by Hunt Allcott and Matthew Gentzkow and published in the spring 2017 edition of The Journal of Economic Perspectives also found that a database of 38 million shares of fake news stories on social media translated to about 760 million instances of clicking on, and reading, fake news stories. </p><p>The subject matter of these stories has run the gamut from political conspiracies to alleged criminal conduct by high-profile individuals to allegations of corporate political bias. A unique aspect of the current situation is that these stories are shared more widely, and more quickly, than ever before due to the ubiquity of social media. According to Allcott and Gentzkow, the list of fake news websites compiled by Stanford University received 159 million visits during the month of the election, while some 41.8 percent of individuals reported that they were exposed to fake news via social media.</p><p>Another important aspect of the current situation is that many of these fake news stories have gained a level of credibility among segments of the population that is surprising considering the sometimes bizarre nature of the claims made. In a study by Ipsos Public Affairs for BuzzFeed, 75 percent of respondents who reported remembering a fake news headline believed it to be accurate. In the study by KRC Research, 74 percent of individuals surveyed reported that it is difficult to determine what news is real and what is not.</p><p>The increased acceptance of baseless rumors and extreme conspiracy theories is due in no small part to a widespread decline in trust in media, government, academia, and most other forms of traditional authority. The falling levels of trust in media have been well documented by Gallup, Pew Research, and the Edelman Trust Barometer. This collapse of trust has led to the increased importance of the “people like me” category as a trusted source of news and information. according to Edelman’s 2017 global report. Because of these developments, sources such as Reddit, personal blogs, Facebook accounts, and quasi-official websites have gained credibility, while trust in traditional news media and government sources has declined. The fact that these fake news stories are rebroadcast many times, through cross-links and reposts on social media, further adds to the illusion of credibility. </p><p>If fake news were limited to stories about Area 51 or the JFK assassination, it would represent an interesting sociological case, but with limited relevance to corporate security. However, both the subject matter and the intensity of emotion elicited make fake news a real threat to corporations in terms of potential financial losses, reputational damage, and the physical security of facilities and personnel. This enhanced threat environment will require adaptation by corporate security professionals and the incorporation of new defensive and offensive capabilities to existing corporate security plans.</p><p>The increasingly widespread use of false or misleading information to cause confusion or harm to an individual or organization is not likely to disappear in the near term. The efficiency of this technique has been clearly demonstrated and the tools facilitating it are becoming ever more powerful, accessible, and easy to use. It is also difficult to imagine a significant increase in trust in traditional authority figures in the near future. </p><p>For corporations, some of the most serious fake news risks relate to stock manipulation, reputational damage, and the related loss of business—through boycotts for example—and direct threats to staff and property.</p><h4>Stock Manipulation</h4><p>At the macro level, fake news has been used to move entire stock exchanges. This was the case in April 2013 when a tweet that appeared to come from the Associated Press (AP) Twitter account reported that there had been an explosion at the White House and that U.S. President Barack Obama was injured. The Dow Jones Index lost 145 points in two minutes, while the S&P lost $136.5 billion. The news was quickly disproved and the market corrected within minutes, but the potential for large-scale disruption was demonstrated. In this instance, the fake news attack was claimed by the Syrian Electronic Army, according to The Washington Post.</p><p>In October 2009, the Stock Exchange of Thailand (SET) fell 7.2 percent because of an online rumor related to the health of the Thai king. The market made up about half of the loss within the next trading day, and the Thai police made several arrests related to the case later that month, as reported by Reuters.</p><p>Fake news has been used to manipulate the shares of individual companies as well. In May 2015, a fake offer to purchase Avon Products led to a surge in trading and a significant increase in the share price, according to The New York Times. Then in November 2016, a fake offer to acquire Fitbit shares led to a spike in activity, and a temporary halt to the trade in Fitbit stocks as reported by The Financial Times. In 2013, a fake press release was posted claiming the Swedish company Fingerprint Cards AB would be acquired by Samsung. Company shares surged until trading was halted. </p><p>In the United States, the Securities and Exchange Commission (SEC) has taken an increasingly aggressive stance in combating this threat to market integrity. It has filed enforcement actions against 27 companies and individuals involved in “alleged stock promotion schemes that left investors with the impression they were reading independent, unbiased analyses on investing websites while writers were being secretly compensated for touting company stocks,” according to an SEC statement.​</p><h4>Reputation</h4><p>False stories, rumors, or statements taken out of context have led to both reputational harm, as well as to threats to corporate personnel and property. In this type of threat, a corporate statement or action that would be innocuous under normal circumstances has taken on an increased risk due to hyper-sensitive stakeholders.</p><p>A case in point was New Balance, when Matthew LeBretton, vice president for public affairs said, “The Obama administration turned a deaf ear to us and frankly, with President-elect Trump, we feel things are going to move in the right direction,” during an interview with The Wall Street Journal. The statement related specifically to President Trump’s plan to withdraw from the TransPacific Partnership (TPP), but was widely misinterpreted. This caused a twofold issue for New Balance. First, anti-Trump individuals saw the statement as an endorsement of the candidate and everything he was purported to believe. This in turn led to calls for a boycott, and many social media posts depicting the destruction of New Balance products as reported by CNBC. A few days later the same statement led Andrew Anglin, a blogger associated with the white supremacist movement, to write on his popular Daily Stormer blog that New Balance shoes were the “Official Shoes of White People.” New Balance was blindsided by the intensity of reactions to a single statement related to a proposed international trade agreement and was forced into reactive positions throughout the crisis.</p><p>Another executive statement that was taken out of context and twisted to fit a partisan narrative was made by Indra Nooyi, CEO of PepsiCo in her interview with Andrew Sorkin of The New York Times on November 9, 2016. Her statement included congratulations to President-elect Trump on his victory, while also indicating that some of her employees expressed concerns about their safety as a result of the election. Numerous fake media outlets exaggerated the statement by claiming that she and her employees were “terrified” of Donald Trump and his supporters. This led to a firestorm of social media protests against Pepsi, including calls for a boycott and threats against the company.</p><h4>Direct Threats</h4><p>As noted above, one of the most serious cases of threats to an organization based on fake news were the reports of child abuse allegedly masterminded by Hillary Clinton and carried out at a D.C. pizza parlor. While the story was repeatedly debunked, it nevertheless continued to circulate and was supported by Michael Flynn, Jr., son of then National Security Director General Michael Flynn, according to The Washington Post. The shooter was arrested immediately after leaving the pizzeria, where he found no evidence of any abuse. He later pled guilty to the interstate transportation of ammunition and a firearm, a federal charge, in addition to a D.C. charge of assault with a dangerous weapon, according to The Hill.</p><p>This case indicates that even the most ridiculous story, if repeated often enough, will find an audience that believes it, and possibly someone who is willing to take action based on its claims. It is possible that a less extreme story focusing on a corporate executive or brand would lead to similar examples of direct action.​</p><h4>Countermeasures</h4><p>Countering fake news is difficult when the target audience finds it easy to discount facts and the usual sources of information are distrusted. However, there are a number of actions that corporate security teams can take to mitigate the risks posed by this new threat.</p><p><strong>Risk assessment. </strong>As with any threat to corporate security, the place to start is with a detailed risk assessment. The corporate security team needs to look at both internal and external factors to determine both the level of risk, as well as the most likely points of attack. Internal factors include employee demographics, employee morale, and computer use policies. The external factors include the competitive environment, the current perception of the organization and its management, the level of openness and transparency, and the nature of current conversations about the organization. With this information, corporate security will be in a much stronger position to establish policies and procedures to mitigate the risks from fake news attacks.</p><p>A white paper by Accenture focusing on social media compliance and risk in the international financial industry highlights the importance of identifying areas where an institution has vulnerabilities and incorporating the findings into its risk mitigation plans. A survey of executives cited in the white paper, A Comprehensive Approach to Managing Social Media Risk and Compliance, found that 59 percent of respondents reported having no social media risk assessments in place, while only 36 percent reported being offered any training on social media risk mitigation.</p><p><strong>Monitoring. </strong>To have any hope of effectively countering fake news, the corporate security team needs to have as close to real-time visibility of its appearance as possible. This points to the requirement for a comprehensive monitoring program that builds on any existing media or social media monitoring capability the organization already possesses.</p><p>It is important that this monitoring program specifically focus on channels that are outside the organization’s norm. These channels may be antithetical to the values of the organization, targeted to a demographic that is generally not associated with the company, or linked to apparently phony information sources. It is also important to look specifically for negative references to the organization.</p><p>After experiencing a number of negative stories driven by news and social media, Dell Computer adopted an “everyone is listening” approach to social media monitoring. A Framework for Social Analytics by Susan Etlinger of the Altimeter Group discusses Dell’s hybrid model for media monitoring, which gives a large number of its 100,000 plus workforce some responsibility for monitoring social media channels related to their lines of business. The company also has a Social Media Listening Command Center, which employs sophisticated social media monitoring software to complement its traditional media monitoring program.  </p><p>A company’s monitoring system should also include an analysis component that helps vet the material, determining how it should be classified and its importance from a risk management perspective. This component would then ensure that any important material is routed to the key decision makers for immediate action.</p><p>Finance, investment, and hedge fund companies have been taking a lead in the area of monitoring and identifying fake news stories. The growth of organizations that can deploy multiple content generators focusing on specific companies poses a significant risk to stock market investors. According to reporting in Forbes, companies are also seeking to develop algorithms that can sort through large quantities of content and identify malicious fake news campaigns. One such company that has been widely cited in this regard is Houston-based Indexer LLC.​</p><h4>Response Plans</h4><p>Based on the results of the risk audit, the most likely fake news scenarios should be identified and used to create detailed response protocols that can be activated in the event of an actual fake news situation. At a minimum, these plans should include contact information for all crisis team members, checklists for key actions, prepared statement templates to be used with internal and external stakeholders, and escalation metrics in the event that the fake news situation is not immediately contained.</p><p>The importance of incorporating the social media environment into a robust crisis response system is shown in the Nuclear Energy Institute’s Implementing and Operating a Joint Information System planning document. The plan covers the importance of preassignment of roles and responsibilities, training and readiness exercises, and media monitoring and engagement. The last item includes specific information on the importance of ensuring that information on social media regarding nuclear facilities and incidents is accurate, and that rumors and falsehoods are flagged and corrected.​</p><h4>Training</h4><p>The weaponization of news represents an evolving threat for many organizations and is not often included in corporate crisis management plans or training programs. As examples of fake news incidents increase, corporate security professionals should build this new threat into security training that is offered in conjunction with the corporate communications and human resources functions. Members of the senior leadership team should also be involved in any fake news response training.</p><p>Countering fake news requires fast decision making and decisive action on the part of the organization. To be able to execute effectively, the relevant personnel should be exposed to these scenarios in a simulated environment.</p><p>The communications function at DePaul University in Chicago, recognized the importance of building a mix of true and false information on social media into its crisis response training program. The result was a multi-party simulation exercise involving real-time interactions with traditional media, Twitter, and Facebook, as well as direct stakeholder communications. One of the key challenges in this type of training is sorting through incoming information quickly while still ensuring that key facts are not overlooked.​</p><h4>Cross-Functional Teams</h4><p>By its nature, the threat posed by fake news needs to be met by a comprehensive organizational response. This implies a cross-functional approach to fake news management. While corporate security may take point, the expertise and resources available to the corporate communications, human resources, and legal teams will prove critical.</p><p>An executive from an international bank reported to Accenture that it was important for all key functions to participate in risk management planning, especially when it concerns social media. “However, it is always important to have a representative from risk sitting at the table—someone from compliance, someone from legal, and so forth, to provide guidance to the business and make sure what the company is doing is sound,” notes the Accenture white paper.</p><p>Because fake news is still a type of news, the communication and media relations skills of the corporate communication function will be needed to analyze the content and develop and distribute counter messages to all fake news reports. This function may also be the appropriate host for the monitoring program because it is a logical extension to standard corporate media monitoring activities.  </p><p>Employees are a critical audience for fake news and an important distribution channel for counter messaging. This being the case, the human resources department needs to be involved in the creation and execution of corporate security strategy with regards to fake news.  </p><p>To ensure that the organization’s rights are fully protected, and that it does not itself cross the line in terms of libel, the corporate legal team should be involved in the fake news strategy, and have a role in vetting counter messages.​</p><h4>Communications</h4><p>Because of the potentially serious morale and operational ramifications fake news can have on an organization, it is vital that employees are provided with clear and accurate facts and count­er messages as quickly as possible.</p><p>Beyond reacting to a fake news incident, the organization should seek to inoculate its staff against its effects by undertaking a comprehensive internal communications and employee engagement program. This can be incorporated into the concept of encouraging employees to be brand ambassadors.</p><p>Organizations that are most vulnerable to fake news are those about which little is known. Without a base of preexisting knowledge, stakeholders who are exposed to fake news cannot immediately discount it, which is where the seeds of doubt take root. It is thus important that the organization be as transparent as possible, which includes regular proactive external communications. Corporate actions and policies should be communicated, explained, and contextualized to establish the reality of the situation before a fake news story can present a false narrative.  </p><p>It is especially important to get in front of any bad news stories and ensure that the organization is seen as working to resolve the issue, rather than hiding it. The idea of a first mover advantage with releasing properly contextualized negative information is a central tenet of contemporary public relations practice, and it can help thwart attempts to create a scandal by fake news outlets. ​</p><h4>Trust</h4><p>While a full discussion of trust-based relationships is beyond the scope of this article, it should be noted that the establishment of trust with key stakeholders is one of the best defenses against fake news attacks. Creating trust goes beyond simply telling the truth. It involves a range of factors including organizational reliability, competence, and benevolence, along with honesty and transparency. Because trust building involves all aspects of organizational behavior, it must be seen as a strategic initiative and be driven by senior management. Trust’s relationship to fake news defense is likely to be a collateral benefit rather than a primary driver of the initiative.  </p><p>The use of intentionally false or misleading information distributed through online and social media channels to disrupt or harm organizations is likely to increase dramatically in the years ahead. These actions are increasingly easy and cheap to execute, and take advantage of current weaknesses in organizational capabilities and the fact that societal trust in most traditional authority figures is at a historically low level. It is thus imperative that responsible corporate security professionals develop the internal capabilities and protocols to deal with this new threat environment before they are faced with a fake news attack. The good news is that most of the necessary resources already exist to some degree within the organizational structure and only need to be oriented around the fake news threat. This will include proactive measures such as audits, monitoring, training, and proactive communications, as well as moving quickly to react to the emergence of damaging fake news to contain it and neutralize its ability to damage the organization.  </p><p>In today’s hyperconnected global information environment no organization is safe from a fake news attack. We have had ample warnings that the threat is real and is likely to get worse.  There is no time to waste in hardening the organization against this new type of assault.  </p><p><em>Jeremy E. Plotnick, Ph.D., is founder of CriCom LLC. He has worked in international communications consulting, public affairs, and public relations for more than 20 years. ​ ​ ​</em><br></p> The Future CSO Worlds Rising Conversations: Checking In & Coaching Up's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers Precious Property Off Expert Partnership The Future CSO Review: Rebuilding Resilience Safety Strategy on Campus 2018 Legal Report 2018 Legal Report Resources 2018 Legal Report

 You May Also Like... Review: The Manager's Guide to Enterprise Security Risk Management: Essentials of Risk-Based Security. <p>​<em>Rothstein Publishing;; ebook; $14.49.</em></p><p>The security landscape is evolving at an enormous speed. Volatility, uncertainty, complexity, and ambiguity are the new normal. So, how do you address security challenges in such an environment? The answer is through enterprise security risk management (ESRM), an integrated risk-based approach to managing security risks. It brings together cyber, information, physical security, asset management, and business continuity. ASIS has made ESRM a global strategic priority.</p><p>In the <em>Manager's Guide to Enterprise Security Risk Management,</em> authors Allen and Loyear provide a comprehensive overview of the principles and applications underlying the ESRM philosophy. They set the stage in the first part of the book with an introduction to ESRM and share some important insights on the differences between traditional security and the ESRM approach, illustrating their points with examples.</p><p>The second part of the book guides the reader through the implementation of an ESRM program. One excellent chapter promotes design thinking as a conceptual model for ESRM. A design thinking approach can provide a unique platform for innovation and overcoming new security challenges.</p><p>Finally, the book provides insights and strategies to ensure the success of the ESRM program. It explains what an executive needs to know about ESRM, and gives readers the tools to succeed.</p><p>In sum, this guide accomplishes exactly what it set out to do—provide security leaders and managers with the principles and applications to explore, design, implement, and secure the success of an ESRM program.</p><p>Note: The authors of this book recently published a more detailed look at ESRM in <em>Enterprise Security Risk Management: Concepts and Applications</em>, also published by Rothstein.</p><p><em>Reviewer: Rachid Kerkab has almost two decades of experience in criminology, security strategy, risk, and resilience. He is a member of ASIS. ​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 is More: A KISS Approach to ESRM<p dir="ltr" style="text-align:left;">Enterprise security risk management (ESRM) has been a topic of increasing interest for security managers over the past few years, and ASIS International has identified it as a strategic focus. But a review of the literature, beginning with the <a href="">2010 CSO R​​oundtable paper<sup> </sup>on ESRM</a>, raises two issues that could make implementation difficult.</p><p dir="ltr" style="text-align:left;">First, the initial papers on ESRM appeared to encourage security to fill the gap left by traditional enterprise risk management (ERM) systems, which often focused on financial and market risk exclusively. Although an effective ERM system should incorporate all risks, having security fill these gaps via the ESRM system would quickly overwhelm the chief security officer (CSO). Appealing though it might be to have "Head of Risk Management" appended to one's job title, "I'm not busy" is NOT a common refrain among security managers. In many organizations, managing the risks across all security functions—that is, physical, cyber, and information—is already an enormous task, so operational and reputational risk should remain elsewhere. </p><p dir="ltr" style="text-align:left;">The idea that all responsibility for risk should fall to security seems to have tapered off somewhat since the first few papers on ESRM, but security managers will still be better served if they ensure that ESRM focuses on the "S" in the title, security.</p><p dir="ltr" style="text-align:left;">Second, there is often a tendency towards complexity and granularity in ESRM systems where simplicity is more appropriate. Risk management is an area where it is easy to quickly become bogged down in detail, and the drive for more and better data can stymie the process. If we consider the ISO definition of risk as "the effect of uncertainty on objectives" (<a href="">ISO 73</a>), trying to become more and more specific overlooks the baked-in nature of uncertainty. </p><p dir="ltr" style="text-align:left;">Moreover, when quality data is not available, as is often the case with security issues, trying to analyze risk at a more and more granular level can produce a less-accurate assessment. Granularity and massive amounts of information can be used in Big Data systems, but most organizations don't produce enough security-specific data for that kind of analysis. Even with large amounts of data this can still go wrong. As an example, tinkering at the micro level while assessing the risks in the U.S. mortgage bond markets back in 2008 gave the impression that things were fine, even though all the warning signs were visible (but largely ignored) at the macro level. </p><p dir="ltr" style="text-align:left;"><strong>Moving to ESRM with a KISS Approach</strong></p><p dir="ltr" style="text-align:left;">Although more complicated than a purely security-centric approach, a risk-led approach is an effective way to approach security. This directly links security activities to the organization's overall objectives and goals, integrating security risk with the organization's overall ERM system. This approach also helps bridge the gap with contingency planning, business continuity management, and crisis management, and it significantly improves response and post-event recovery. Moreover, ESRM helps the elements within the security function coordinate more effectively. </p><p dir="ltr" style="text-align:left;">Finally, a robust and effective risk management system also removes a great deal of subjectivity from planning and decision making, which enhances organizational efficiency. In many ways, risk is the common language of business and the sooner we all share that language, the more effective we will be. Investing time and effort into the ESRM system and moving towards a risk-led approach does pay off in the long run.</p><p dir="ltr" style="text-align:left;">So there are real benefits in implementing an ESRM system but these two issues—pushing security to take on a wider risk management role and a tendency towards complexity—could make implementation seem an impossible task and one that many CSOs would find daunting, deterring them from taking this course. However, an ESRM system does not have to be overly complex, nor something that disrupts day-to-day operations. In fact, for most security managers, a KISS approach—keep it simple, security folks—is the best way to tackle ESRM. This does not suggest that there aren't challenges in implementing an ESRM system or that additional work and change won't be necessary. But a KISS approach facilitates implementation and makes the ESRM system much more effective.</p><p dir="ltr" style="text-align:left;">But how can we do this and keep things simple?</p><p dir="ltr" style="text-align:left;">Four basic principles can assist with the implementation of a simple yet effective ESRM program: use a standard approach, start speaking risk, become objectives-led, and accept uncertainty. </p><p dir="ltr" style="text-align:left;"><strong>Use a standard approach to risk management, not one that is security-specific.</strong></p><p dir="ltr" style="text-align:left;">Each business or function will want a solution that is tailored to its needs, but this causes inefficiency when working in a cross-functional environment. Imagine for one second what would happen if every department used its own accounting processes: mayhem, and probably lawsuits, would ensue. This problem could even arise within the security function itself if cybersecurity tried to use one approach to risk management, and asset protection used a different one. </p><p dir="ltr" style="text-align:left;">A robust, comprehensive risk management system will allow room for adjustment at the functional level while still applying a standard approach that can be used across the entire organization. So, rather than finding a security-specific definition for risk, or processes tailored to the department, start with a basic approach to risk management. Ideally, this would mean adopting your organization's existing system and processes that you can adapt to fit the needs of the security team. In some instances, you might need to start from scratch—in that case I would recommend <a href="" target="_blank">going back to basic, first principles</a> which can then be scaled up to integrate with a future ERM system.</p><p dir="ltr" style="text-align:left;"><strong>Learn to speak risk.</strong></p><p dir="ltr" style="text-align:left;"><a href="" target="_blank">Risk provides organizations with a common language and mindset</a> that can be applied across departments and functions to help with discussions and decision making. Even within the security function itself, having cyber, information, and physical security teams use a common language will make life easier for the CSO. "Speaking risk" can be more complicated than it might first appear, because terms can be applied differently and <a href="" target="_blank">there are some complex influences that affect how we perceive risks.</a> At first, there will be a need for regular clarification on how terms are being used until the correct usage becomes commonplace. Adapting existing materials to suit the new lexicon will also take time, but the ERM system should define the key terms and concepts and these should be adopted as early in the ESRM process as possible. </p><p dir="ltr" style="text-align:left;"><strong>Become objectives-led, rather than assets-focused. </strong></p><p dir="ltr" style="text-align:left;">Using a risk vocabulary doesn't just help with discussions: it also helps change mind-sets and perspectives. If something akin to the ISO definition—that risk is "the effect of uncertainty on objectives"—is used, the focus on objectives should become second nature, which has multiple benefits:</p><ul><li>It allows individuals and teams to practice what the U.S. military calls disciplined initiative: leaders at all levels understand the commander's (in this case the organization's) overall intent and can shape their activities to support that without step-by-step direction.<br><br></li><li>Being objectives-led moves from a reactive to a proactive mindset. Instead of thinking, "<em>x</em> has happened, so we need to do <em>y</em>," organizations can consider "what effect could <em>x </em>have on our objectives?" and act accordingly.<br><br></li><li>Security can better support the organization when mitigation measures and contingency plans are developed with the organization's top-level objective in mind. This is best summed up by something an embassy regional security officer said while discussing security in a higher-risk country: "The best way to keep everyone safe here is to keep them inside [the embassy] but that's not my job. My job is to help them get out there and do their jobs as safely as possible."  ​<br><br></li></ul><p>Becoming objectives-led is not only applicable in day-to-day "peacetime." It is extremely important during the response to an event where a proactive, objectives-led stance will significantly improve the organization's chance of survival.</p><p><strong>Accept uncertainty and avoid over-specification. </strong> </p><p>We are awash with data, email alerts, and warnings that swamp us with information. That can quickly lead to analysis paralysis: if we are presented with every possible permutation, possibility, and outcome for a situation, how can we effectively decide what to do next? From an ESRM perspective, avoiding this paralysis requires two things. </p><p>First, the system should accept uncertainty and avoid trying to become too specific. Ultimately risk management is a decision-making tool that helps put risks into a comparative order, but it doesn't measure risk per se. Trying to measure risk to one or two decimal places is extremely difficult in all but the most well-documented, highly regular, technical systems. If you think about it, an asset assessment that gives you a loss expressed down to single dollars should be taking pocket change into account. However, day-to-day security management has neither that kind of stability nor the data, and there are simply too many variables for that kind of accuracy. The ESRM system should work in broader strokes than the CSO might initially be comfortable with, but that will help remove some of the uncertainty and simplify the assessment and reporting process while still producing useable results.</p><p>Second, information overload is not just something we can experience, it is also something to which we can contribute. Security should therefore avoid swamping the overall ERM system with too much data. Too much information from each department will overwhelm the ERM system and cause paralysis at the organizational level. The risk management system should specify where a departmental risk is severe enough to become an organizational risk and needs elevating, and this should be mirrored in the ESRM system. Again, using broad strokes will also help get the point across as to which risks are a priority without having to overwhelm the senior leadership with every possible security concern.</p><p>In both cases, technology can make things more efficient, but if care isn't taken when designing a technical solution, managing the risk management system can become a major task in its own right.  As mentioned earlier, security managers are not looking for more work to fill their time, so whatever systems are used must be robust, simple, and effective. Even with IT, KISS is still important.</p><p><strong>Summary</strong></p><p>ESRM is a welcome initiative that will embed security management more thoroughly into organizations, add much-needed objectivity to decision making, and improve resilience. However, a tendency towards making ESRM too specialized, or trying to have the CSO lead too much of the overall risk activity, will likely be counterproductive. However, taking a KISS approach will help achieve the overall aim of integrating security into the broader ERM framework while also avoiding these pitfalls. Even within the security function itself, a risk-led approach will provide much-needed coordination between security functions because it gives CSOs and their teams a common language. Although a highly complex, granular system may seem attractive, taking a KISS approach is going to be more straightforward to implement when CSOs and their teams are already working close to capacity. Once the basic ESRM system is in place, the tinkering can begin.</p><p>Whatever specific approach is taken, adhering to the four principles outlined above—use a standard approach, start speaking risk, become objectives-led, and accept uncertainty—<a href="" target="_blank">will help implement an ESRM system</a> that allows the organization to better understand security risks, integrate these into the wider ERM program, and ensure that the security team takes a risk-led approach. </p><p><em>​Andrew Sheves has been a risk, crisis and security consultant for more than 15 years following several years in the military. Both careers have given him the opportunity to find out the hard way that a KISS approach is usually better. He runs the risk consulting firm Tarjuman LLC and operates the </em><a href="" target="_blank"><em>Riskademy</em></a><em> online training school which contains additional information on many of the concepts and ideas outlined above and offers a free introductory course on risk management. He is a member of ASIS.​</em></p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Risk Across the Enterprise<div>Identifying and mitigating risks across an organization is the purview of enterprise risk management (ERM), which may entail everything from avoiding litigation to assessing credit risk. A subset of ERM is enterprise security risk management (ESRM). It encompasses the more traditional security risks, such as asset protection, as well as broader security issues, such as safety, IT security, and brand integrity. The goal of both ERM and ESRM is to transcend traditional management silos to improve risk assessment and reduction. Security professionals who know how to facilitate ESRM and fit it within the broader ERM landscape will have a permanent seat at the C-suite table.</div><div> </div><div><strong>Risk Models</strong></div><div> </div><div>Security systems and services giant Die­bold, Inc., established an ESRM model three years ago with the help of an outside consultant. In the company’s model, a committee of vice presidents from each of the functional areas participates in the initial review of broad security-related risks that the company could face globally. After the initial review, a subset of risks is addressed by affected groups whose members look at risk projections as well as mitigation efforts, says Scott Angelo, Diebold vice president and chief security officer. Results are reported through the senior vice presidents to the president and CEO.</div><div> </div><div>In addition, the company established a formal Governance Risk and Compliance Oversight Board (GRCOB) to address risk related to industry regulations with which the company must comply. GRCOB members represent the lines of business that deal directly with Diebold’s customers: security and professional services, manufacturing, global software development, security operations, and sales. Other groups—such as human resources, legal, and internal audit—are brought in as needed.</div><div> </div><div>The GRCOB reports to the audit committee and provides strategic planning, direction, and oversight to help subsidi­ar­ies or affiliates address risk management and compliance in a timely manner. The responsibilities, accountability, and charter of the GRCOB were set by Diebold’s board of directors.</div><div> </div><div>Diebold’s approach is just one example of ESRM.</div><div> </div><div>Greg Acton, CPP, director of global safety and security at mobile products company Palm, Inc., uses a different approach. He looks for root causes of the risks he wishes to mitigate by asking “the five Ws,” and he then models pro­cesses around the answers to those questions.</div><div> </div><div>The models for what constitutes enterprise security risk management are exceptionally diverse. “Every model will be specific to your company,” says Dan Hoo­ton, CPP, group security advisor, operations at Prudential PLC, an international financial services company headquartered in London. He emphasizes that the model needs “constant review to make sure it is relevant.”</div><div> </div><div>There are some commonalities across models, however, such as the identification of critical processes, alignment of security objectives to the business, and a risk mitigation phase. The emphasis is on making sure that all the business organizations can demonstrate that their operational risks are being identified, prioritized, remediated, and responded to consistent with their significance and value to that business, says William C. Boni Jr., security director at communications conglomerate Motorola, Inc.</div><div> </div><div>Leadership buy-in is also a factor. At most organizations, the board of directors is involved at least in periodic reviews of the risk model, its assessment, or the identification of specific risks to the organization. Often, that communication is a two-way street, with the board giving feedback on risk decisions. If the board does not become involved, the C-suite certainly does.</div><div> </div><div>The level of interest within the organization can depend on the risk. “At the ERM macro level, you are talking about risks in the hundreds of millions of dollars,” says Boni.</div><div> </div><div>According to Boni, Motorola established its ERM program seven years ago under the aegis of a new audit director. Boni, then the information security officer, was involved in the program from its inception along with other operational risk subject matter experts from such groups as human resources, finance, business leadership, technology, and engineering.</div><div>The risk management director, who reported to Boni, was assigned to set up the overall ERM protocols, including communication strategies and assessment tools for the global company. Outside consultants helped initially, but the templates, spreadsheets, and databases were designed specifically for Motorola.  </div><div> </div><div>Boni demonstrates ROI for specific recovery efforts by first establishing a baseline for typical industry expectations worldwide. By comparing Motorola’s controls with the baseline, Boni can demonstrate very specific reductions in revenue-at-risk and recovery values.</div><div> </div><div>When Bob Hulshouser, CPP, was hired five years ago to be manager of corporate security services for the Las Vegas Valley Water District (LVVWD), his title did not reflect an enterprise risk management function. However, the utility’s management looked at his security job as a “synergistic arrangement where I would reach out to all functions in the company,” he says. He served as a catalyst to bring the security culture to the other levels and involve security with their processes. “They didn’t call it ERM,” he adds, but “ERM is integrated with everything we do.”</div><div> </div><div>Hulshouser advocates learning different risk approaches by talking to other executives throughout the company. “You can’t protect the enterprise unless you know what their unique concerns are and how your organization blends with theirs.”</div><div> </div><div>Collaboration is key, agrees Evan Wolff, director of homeland security practice at Hunton & Williams, an international law firm that consults on risk issues. That means understanding everyone’s individual objectives based on their responsibilities and knowledge of the risks inherent in their processes, he says, adding “And that’s where the enterprise security risk management model will shine.”<br><div><strong>Managing Risk</strong></div><div> </div><div>Of course, no enterprise can operate without some risk. “If there was no risk, there would be no revenue,” says Tim Weir, director of global asset protection at Accenture, the management consulting and technical services company.</div><div> </div><div>“The whole idea of doing business is based on the idea of taking risk,” agrees Petri Lillqvist, director of risk management for Digita Oy, a radio and television distributor headquartered in Helsinki, Finland.</div><div> </div><div>When developing an enterprise risk management process for Digita, Lillqvist started with basic questions, such as what does “manage” mean?</div><div> </div><div>“Managing risks does not mean eliminating them,” he says. Rather, risks must be brought down to a level that will not be fatal to the enterprise.</div><div> </div><div>The goal, explains Weir, is to “make calculated decisions daily to help manage risk to people, reputation, information, and property—in that order.”</div><div> </div><div><strong>Assessing Risk </strong></div><div> </div><div>Before an enterprise can manage its risk, it must identify potential risks and assess how risk will affect the company. A variety of formal and informal methods can be used to accomplish these tasks.</div><div> </div><div>A key factor is to be selective. “If you just start thinking of all the possible risks that might harm your company, you’ll end up with a very long list that includes everything from petty thefts to an asteroid hitting your company headquarters,” Lillqvist says. “It’s about risk management, not list management,” he quips.</div><div> </div><div>The company’s business objectives must serve as a starting point, Lillqvist says.</div><div> </div><div>Seeking out the owner of the identified risk is another helpful tactic. At Digita, the risk owner can be a vice president or other staff member, depending on the risk. That person is responsible for assessing the need for controls, planning the actions, then implementing, reassessing, and reporting on the actions in concert with the company’s risk management process and policy.</div><div> </div><div>Hulshouser and his team use brainstorming to determine probabilities, “the ‘what ifs’ that keep you up at night,” he says. The economic situation and the potential for thefts are top priorities. He scans information from government and professional organizations to stay on top of communitywide crime as well as terrorism trends and natural disaster indicators.</div><div> </div><div>Weir uses visuals to help clarify the risk picture. “We use a wheel that expresses the circle of the risk life cycle,” he says. The circle starts with the identification of a specific risk, then moves through the ways to eliminate, transfer, mitigate, insure, and evaluate that risk over time.</div><div> </div><div>Dick Parry, CPP, executive director of global security at Novartis Institutes of Biomedical Research, has adopted a different type of visual at the pharmaceutical research organization. He uses heat maps, a graphical representation of data that measures gaps and shows through color variations where risks are controlled.</div><div> </div><div>To collect the data, says Parry, various disciplines within Novartis identify their risks, which are consolidated into a larger risk portfolio and then addressed at each business unit.</div><div> </div><div>The process also includes what Parry calls a “loosely modeled risk council.” Meetings to discuss enterprise risk management are scheduled regularly, but the group also works on an ad hoc basis to address risks as they appear.</div><div> </div><div>Sometimes it’s clear what the major concerns are. At Palm, for example, it is the “huge band of bloggers and fans who want to be the first in the market to give consumers the most updated information on potential purchases,” explains Acton. That puts proprietary information at extreme risk.</div><div> </div><div>To address that risk, Acton and his team began shoring up internal processes. “We share less information with fewer people and share it later in the product life cycle,” he says.</div><div> </div><div>The plan passed its first big test during a recent new product release. For the first time, no leaks or disclosures occurred.</div><div>Any enterprise risk management plan must recognize that risks evolve, and companies must be prepared to adjust. While the enterprise security council at transportation leader Schneider National tries to anticipate risks three years ahead, “the reality is that we are working in the one-year realm,” says Walt Fountain, CPP, director of enterprise security. “Things are changing faster than we ever expected.”</div><div><strong><br> </strong></div><div><strong>Barriers</strong></div><div>The scarcity of money and time are perennial impediments to a more effective risk management process. Difficult economic times exacerbate the problem, because cost cutting often results in less than optimum combinations of internal controls, increasing risk. Moreover, security itself is asked to do more with less. But ESRM managers cannot let these barriers stymie their efforts.</div><div> </div><div>“It’s still security’s responsibility to do the best to manage global risk regardless of what resources are available at a given time,” says Boni.</div><div> </div><div>To achieve those objectives, he adds, security leaders must deliver the right information to the appropriate level of management so that executives can prioritize and make appropriate choices.</div><div> </div><div>Angelo at Diebold agrees, noting that in the coming year, the “biggest value the GRCOB will provide is the appropriate prioritization of resources to address risk.”</div><div> </div><div>Fountain has a similar viewpoint. “It’s not that people are saying ‘Let’s not do any security because we cannot afford it,’” he says. Rather, his council has been required to do more upfront planning, gather more data, and justify return on investment (ROI) before moving forward. In anticipation of those questions, he and his team come well prepared to planning sessions.</div><div> </div><div>But money isn’t the only issue. Another barrier to implementing ESRM can be perceptions about what it means to disclose risk on the part of front-line personnel and middle managers. “People have to get past the point where disclosing risks makes them feel that they are not doing their jobs,” says Parry. He advocates establishing a “no-fault scenario” so that employees won’t hide details the company needs to know.</div><div> </div><div>Culture can also be a roadblock. Enterprise risk management is “an evolving concept” at Caterpillar, says Tim Willi­ams, CPP, director of global security at the global manufacturer of construction equipment and engines.</div><div> </div><div>Since Williams joined the company two years ago, the security program has expanded into the global arena with regional directors in Asia, Latin America, Europe, and the Middle East. Williams also began developing risk-based programs for the company’s global manufacturing and distribution centers.</div><div> </div><div>While the company does not have a formal risk management department, Williams serves on a compliance committee and is in the process of forming an enterprise security council.<br><p><strong>Success Factors </strong></p><div> To overcome any perceived or real impediments to an effective security risk management process, those interviewed rely on their management skills rather than their security knowledge. Qualities such as flexibility, diplomacy, and persistence as well as the ability to conceptualize, delegate, build relationships, and deal with ambiguity are essential to an enterprise security risk management leader.</div><div> </div><div>Security professionals credit courses on leadership, training on enterprise risk management, and advanced degrees in business as indispensable when polishing executive skills. Developing a thorough understanding of the enterprise’s business objectives and participating in its strategic plans are also essential.</div><div> </div><div>Reaching out to coworkers is important as well. John Petruzzi, CPP, managing director of ERM at Andrews International, a firm that specializes in security and risk mitigation, advocates “simple networking 101.” That includes having lunch with counterparts and conversations with senior leaders.</div><div> </div><div>“While they might not be able to tell you how your job will change in five years, they probably can tell you how theirs will,” he says.</div><div> </div><div>Communicating effectively is high on everyone’s list of essential business skills. To Weir, communication means “having two ears and one mouth…being a better listener than talker.”</div><div> </div><div>Making conversations relevant to the audience and speaking confidently in nontechnical terms are other components of effective communication. Petruzzi says that security professionals should know at least five processes that they are measuring monthly and “be able to articulate them in the two-minute elevator talk.”</div><div> </div><div>Boni notes that “people will be a lot more supportive if they understand how your plan is going to benefit them directly.” And that support is the key to accomplishing the ESRM mission.</div><div> </div><hr /><div><strong>Mary Alice Davidson heads a publishing consultancy in Spartanburg, South Carolina. She is the former publisher and editor-in-chief of <em>Security Management</em>.</strong></div><div> </div><div><span style="color:#800000;"><strong>@</strong> </span>Some graphics illustrating aspects of ESRM models used by those interviewed for this article are attached below.<br><br><ul><li><a href="/ASIS%20SM%20Documents/Process%20Maturity%20in%20Determination%20of%20Risk.ppt">Process Maturity in Determination of Risk.ppt</a></li><li><a href="/ASIS%20SM%20Documents/Risk%20Circle%20Accenture.ppt">Risk Circle Accenture.ppt</a></li><a href="/ASIS%20SM%20Documents/Project%20Road%20Map%20Thales.ppt"><li>Project Road Map Thales.ppt</li></a><li><a href="/ASIS%20SM%20Documents/Risk%20Map%20Thales.ppt">Risk Map Thales.ppt</a></li></ul><p><br></p></div></div></div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465