CSO/Leadership

 

 

https://adminsm.asisonline.org/Pages/Microsoft’s-Howard-Wins-Don-A.-Walker-Award.aspxMicrosoft’s Howard Wins Don A. Walker AwardGP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-09-25T04:00:00Z<p>​The last letter in the abbreviation GSX stands for "Exchange," but it's often the first thing on Mike Howard's mind. He loves sharing ideas that lead to personal and professional growth in the security industry.</p><p>Howard's commitment to professional development was recognized yesterday, as he received the Don Walker Award for Enterprise Security Executive Leadership. </p><p>The award recognizes an ASIS member who demonstrates a commitment to security management education, certification, and standards and guidelines at the executive level of the security discipline. Howard was lauded for his contributions to the development of the next generation of security leaders, which is a primary goal of the CSO Center for Leadership and Development.  </p><p>Howard's vision and leadership style has set the standard for security at Microsoft Corporation, where he has served as chief security officer for the past 16 years. </p><p>His team deals with threats of violence against executives and employees, employee violence, kidnapping threats, terrorism, natural disasters, property theft, and intellectual property protection. A few years ago, he oversaw the development of Microsoft's state-of-the-art Global Security Operations Centers in the United States, United Kingdom, and India.</p><p>Finding ways to communicate and demonstrate the importance of security—both physical and cyber—to the company's executives is the linchpin of developing a security program that manages to keep such a large and public company running smoothly, Howard says of his Microsoft role.</p><p>The Microsoft security team is responsible for 90,000 employees, roughly 90,000 contractors, and 700 facilities in more than 100 countries around the globe.</p><p>Those are large numbers, but Howard appreciates each one-on-one, give-and-take opportunity with a colleague or ASIS member. He is renowned by security peers for clear, effective communication. Throughout his time at Microsoft and his prior 22-year term with the CIA, he has worn the simultaneous hats of mentor, coach, and speaker.</p><p>At Microsoft, Howard is part of a mentoring network and has been singled out as an ideal leader to help struggling employees succeed. In the same hour, he might speak to executives about advanced cybersecurity hardware and lend a book to a colleague looking for guidance.</p><p>While working at a company that never leaves the public eye, Howard seeks to help others envision and develop a stronger security industry. He has supported a variety of ASIS programs (including ASIS Young Professionals and Women in Security), is a past president of the CSO Center, a past president of the International Security Management Association, a member of the OSAC Advisory Council, and a member of the Security Industry Association Board of Directors.</p><p>The Walker Award was inspired by Don A. Walker, CPP, chairman, Securitas Security Services USA, Inc.</p>

CSO/Leadership

 

 

https://adminsm.asisonline.org/Pages/Microsoft’s-Howard-Wins-Don-A.-Walker-Award.aspx2018-09-25T04:00:00ZMicrosoft’s Howard Wins Don A. Walker Award
https://adminsm.asisonline.org/Pages/Exceptional-Volunteers-Receive-Top-Award.aspx2018-09-25T04:00:00ZExceptional Volunteers Receive Top Award
https://adminsm.asisonline.org/Pages/Marquez-Memorial-Honoree-to-be-Recognized.aspx2018-09-24T04:00:00ZMarquez Memorial Honoree to be Recognized
https://adminsm.asisonline.org/Pages/Artful-Manipulation.aspx2018-09-01T04:00:00ZArtful Manipulation
https://adminsm.asisonline.org/Pages/Stay.aspx2018-09-01T04:00:00ZStay
https://adminsm.asisonline.org/Pages/A-World-of-Risk.aspx2018-09-01T04:00:00ZA World of Risk
https://adminsm.asisonline.org/Pages/Certification-Profile-Tim-Sutton,-CPP.aspx2018-09-01T04:00:00ZCertification Profile: Tim Sutton, CPP
https://adminsm.asisonline.org/Pages/Book-Review-Adaptive-Business-Continuity.aspx2018-09-01T04:00:00ZBook Review: Adaptive Business Continuity
https://adminsm.asisonline.org/Pages/Editor's-Note---Failing-to-Plan.aspx2018-08-01T04:00:00ZEditor's Note: Failing to Plan
https://adminsm.asisonline.org/Pages/Checking-In-and-Coaching-Up.aspx2018-07-01T04:00:00ZPerformance Conversations: Checking In & Coaching Up
https://adminsm.asisonline.org/Pages/Editor's-Note---In-Sync.aspx2018-07-01T04:00:00ZEditor's Note: In Sync
https://adminsm.asisonline.org/Pages/Editor's-Note---Dangers.aspx2018-06-01T04:00:00ZEditor's Note: Dangers
https://adminsm.asisonline.org/Pages/Bully-Bosses-Can-Inflict-More-Damage-with-Negative-References.aspx2018-05-17T04:00:00ZBully Bosses Can Inflict More Damage with Negative References
https://adminsm.asisonline.org/Pages/The-Science-of-Organizing-Security.aspx2018-05-15T04:00:00ZThe Science of Organizing Security
https://adminsm.asisonline.org/Pages/How-to-Lead-a-Diverse-Security-Workforce.aspx2018-05-01T04:00:00ZHow to Lead a Diverse Security Workforce
https://adminsm.asisonline.org/Pages/Certification-Profile---Douglas-Beaver,-CPP.aspx2018-05-01T04:00:00ZCertification Profile: Douglas Beaver, CPP
https://adminsm.asisonline.org/Pages/Editor's-Note---Awareness.aspx2018-04-01T04:00:00ZEditor's Note: Awareness
https://adminsm.asisonline.org/Pages/Four-Trends-That-Will-Shape-Recruiting-in-2018.aspx2018-03-22T04:00:00ZFour Trends That Will Shape Recruiting in 2018
https://adminsm.asisonline.org/Pages/Starting-from-the-End---Creating-a-Master-Security-Plan.aspx2018-03-19T04:00:00ZStarting from the End: Creating a Master Security Plan
https://adminsm.asisonline.org/Pages/Editor's-Note---Timing.aspx2018-03-01T05:00:00ZEditor's Note: Timing

 You May Also Like...

 

 

https://adminsm.asisonline.org/Pages/Five-Insights-on-ESRM.aspxFive Insights on ESRM<p>​There are five overall concepts that provide guidance about the nature of enterprise security risk management (ESRM). These concepts describe what ESRM is, what it can do for security managers, how security can gain C-suite approval for it, and how to implement a vibrant ESRM program for the enterprise. </p><h4>ESRM Is a Philosophy</h4><p>ESRM is not a standard, nor is it a rigid set of rules to follow. ESRM is a philosophy of managing security. It is based on standard risk management practices, the same ones that guide most of the other business decisions made by the enterprise. It requires partnership with the business leaders in the organization.</p><p>This philosophy gives the security leader the ability to manage security risks. This ability is not based on the latest incident or scare in the news, nor is it based simply on the manager’s own ideas of what is most important to protect. Instead, it is based on a shared understanding of what the business deems critical for risk mitigation, and what level of risk the business is willing to accept in different areas. This ability also requires that the business fully understand why the security risk mitigation tactics have been put in place, and what the impact of not having those mitigations might be. </p><p>The emphasis here is on business. ESRM philosophy recognizes that security risk does not belong to security. It is a business risk, like any other financial, operational, or regulatory risk, and final decisions on managing that risk must belong to the business leaders. That shift in understanding sets a security program up for a greater level of success because security leaders are delivering only what the business needs, and, more important, what the C-suite understands that it needs.​</p><h4>ESRM Is a Process </h4><p>ESRM is not merely an academic philosophy. A general approach for setting up and running a security program can be derived from it. Under that approach, ESRM in action is a cyclical program, and the cycle of risk management is ongoing:</p><p>1. Identify and prioritize the assets of an organization that need to be protected.</p><p>2. Identify and prioritize the security threats that the enterprise and its assets face—both existing and emerging—and the risks associated with those threats.</p><p>3. Take the necessary, appropriate, and realistic steps to protect and mitigate the most serious security threats and risks.</p><p>4. Conduct incident monitoring, incident response, and post–incident review, and apply the lessons learned to advance the program. ​</p><h4>ESRM Aligns with the Business</h4><p>Aligning the security program with business requirements is the most critical component of the ESRM philosophy. This means that the security program must receive governance and guidance from the business. We recommend the formation of a security council to ensure this alignment. </p><p>There are several ways to implement a council. It could be a loose, informal group that provides input as needed, or it could be a board-level initiative that has formal roles, meetings, charters, and documented responsibilities for ensuring security compliance. The council can be a venue for discussing security topics and risk management strategies, and it can host resolution attempts for conflicts in the process. </p><h4>ESRM Covers All Security </h4><p>There is no aspect of security that cannot be managed in alignment with the ESRM philosophy.  Many security professionals already practice much of the ESRM philosophy without thinking of it that way. For example, performing a physical security risk assessment on a facility is equivalent to the ESRM steps of identifying and prioritizing assets and risk. And setting up a crisis management plan can be considered an aspect of ESRM risk mitigation, as well as incident response.</p><p>The critical difference between programs that do these activities as part of a traditional security program versus an ESRM program is the consistency of approach in ESRM. In ESRM, these activities are not performed on an ad hoc basis but consistently across all areas of security risk. They are not applied to one area of the organization and not to another. And, vitally, they are not performed in a vacuum by security and for security, but in full partnership with the business leaders driving the decision making process for all risk mitigation.​</p><h4>ESRM Is Possible</h4><p>Implementing ESRM cannot be done overnight.  It’s an iterative process that allows your security program to evolve over time into a pure risk management approach. For the security manager, the first step to fully understanding the ESRM philosophy is to communicate it to the executives and business leaders in the enterprise.  </p><p>When implemented thoughtfully and practiced consistently, ESRM can completely change the view of the security function in any organization. The old view of security as “the department of no” will shift when business leaders understand that security is a partner in ensuring that the assets and functions of the enterprise most critical to the business are protected in accordance with exactly how much risk the business is willing to tolerate.  </p><p><strong><em>Rachelle Loyear i</em></strong><em>s ESRM Program Manager for G4S and chair of the ASIS Crime Management and Business Continuity Council. </em><strong><em>Brian J. Allen, Esq., CPP,</em></strong><em> is a member of the ASIS ESRM Commission. Allen and Loyear are coauthors of </em>The Manager's Guide to Enterprise Security Risk Management <em>and the forthcoming book </em>Enterprise Security Risk Management: Concepts and Applications.</p>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465