Security Consultative Service

---

CPS-Security consultative service will evaluate methods to improve or develop your current or proposed security program (s) on a continuous basis through auditing, security risk assessments and SWOT analysis in the following domains, and sub-parts.

Security Principles and Practices

· Plan, develop, implement, and manage the organization’s security program to protect the organization’s assets.

· Develop, manage, or conduct the security risk assessment process

· Evaluate methods to improve the security program on a continuous basis through the use of auditing, review, and assessment.

· Develop and manage external relations programs with public sector law enforcement or other external organizations to achieve security objectives.

· Develop, implement, and manage employee security awareness programs to achieve organizational goals and objectives.

Business Principles and Practices

· Develop and manage budgets and financial controls to achieve fiscal responsibility

· Develop, implement, and manage policies, procedures, plans, and directives to achieve organizational objectives.

· Develop procedures/techniques to measure and improve organizational productivity

· Develop, implement, and manage security staffing processes and personnel development programs in order to achieve organizational objectives.

· Monitor and ensure a sound, ethical climate in accordance with regulatory requirements and the organization’s directives and standards to support and promote proper business practices.

· Provide advice and assistance to management and others in developing performance requirements and contractual terms for security vendors/suppliers.

Investigations

· Identify, develop, implement, and manage investigative functions.

· Manage or conduct the collection and preservation of evidence to support investigation actions.

· Manage or conduct surveillance processes.

· Manage and conduct investigations requiring specialized tools, techniques, and resources.

· Manage or conduct investigative interviews.

· Provide coordination, assistance, and evidence such as documentation and testimony to support legal counsel in actual or potential criminal and/or civil proceedings.

Personnel Security

· Develop, implement, and manage background investigations for hiring, promotion, or retention of individuals.

· Develop, implement, manage, and evaluate policies, procedures, programs and methods to protect individuals in the workplace against human threats (e.g., harassment, violence).

· Develop, implement, and manage executive protection programs.

Physical Security

· Conduct facility surveys to determine the current status of physical security.

· Select, implement, and manage physical security strategies to mitigate security risks.

· Assess the effectiveness of the security measures by testing and monitoring.

Information Security

· Conduct surveys of information asset facilities, processes, systems, and services to evaluate current status of information security program.

· Develop and implement policies and procedures to ensure information is evaluated and protected against all forms of unauthorized/inadvertent access, use, disclosure, modification, destruction, or denial.

· Develop and manage a program of integrated security controls and safeguards to ensure information asset protection including confidentiality, integrity, and availability.

Crisis Management

· Assess and prioritize threats to mitigate potential consequences of incidents.

· Prepare and plan how the organization will respond to incidents.

· Respond to and manage an incident.

· Recover from incidents by managing the recovery and resumption of operations.

Surveillance Systems  

Partial list of individual components listed  are priority focus for all public and non-public company structures. 

• Employee security awareness.  
• Existing/proposed Policies and Procedures to protect Employees, Management and Executives in the workplace against all threats/harassment. 
• Mail security/screening 
• Bomb Threats 
• Firearms guidelines 
• Critical security incident guidelines 
• Emergency management coordination 
• Business continuity planning
• Business impact assessment 
• Disaster recovery planning   
• Active shooter
• Access control/Surveillance of Facilities and Perimeters
• Concepts of confidentiality, integrity and availability

Be proactive, evaluate your security program continuously and ensure industrial standards and updates are compliant, avoiding any unnecessary risk and/or Vulnerability gaps.

Enterprise Security Risk Management: 

a strategic approach to security management that ties an organization’s security practice to its overall strategy using globally accepted and established risk management principles.

ESRM is not a tactical program or an element of an existing security program. In fact, ESRM replaces the security tactical-program methodology for managing security. 

ESRM connects all key elements of security risk with the organization's assets, enabling decision making by asset owners. 

ESRM addresses all security risks to an organization’s assets, identifying and prioritizing them and developing specific mitigation steps. The objective is effective mitigation, not a program to address a specific threat or issue 

In ESRM, the security professional transitions from managing a security function (delegated role) to a trusted advisor and partner for asset owners. In this transition, the security professional leaves the role as a task manager who executes specific steps for security services and shifts to a strategic resource for the organization, adopting a more holistic view of risk. 

The security professional provides information and guidance to asset owners for prioritizing assets, identifying and prioritizing risk to those assets, and selecting mitigation strategies and plans. 

In reality, ESRM manages security risk holistically, regardless of the organizational structure. 

The Asset Owner is the person most directly responsible for successful operation of the asset.   

ESRM assigns responsibility for the risk to an asset to the asset owner because the asset owner best understands the asset.  Asset owners (The risk owner) are trusted to make decisions about risks to their assets. 

The Security Professional acts as a security risk subject matter expert and a trusted advisor to asset owners, top management, and other stakeholders.  The security professional guides the asset owner through the security risk decision making process and may lead agreed upon mitigation actions.  

Executive Management is the highest level of executive leadership in an organization (for example, the c-suite or an executive committee). In some organizations, asset owners may be in the Executive Management level.  

For the security professional, security group, and the organization, ESRM provides numerous benefits and overcomes long-standing roadblocks. 

 Strategic Partner & Trusted Advisor 

• The security professional can transition to being a strategic partner and trusted advisor versus being a tactical owner of security programs. The security professional and security group may oversee various mitigation processes/systems but those are supported and/or directed by asset owners. 

Knowledge of the Enterprise 

• The security professional will develop a stronger and more complete understanding of the organization and its strategies and goals.  From this, the security professional will be better able to assist in risk identification and prioritization.

Focus on Risk, Not Tasks 

• With a focus on risk, security professionals can be more innovative in problem solving and risk reduction. 

Proactive Approach 

• Security moves from a reactive role to being more proactively focused. This obviously can lead to better results, including fewer incidents and reductions in the impact of an incident. 

Risk Visibility 

• ESRM allows key security risks to be better seen by top management because they are elevated by senior managers who are asset owners. 

Enhanced Resilience 

• ESRM enhances the organization’s resilience, event response, and its management of a crisis.   The organization is the environment in which assets and risks live. For these reasons, understanding the organization is an initial step in ESRM and is at least as important as understanding the threats that the organization faces.  

MISSION & VISION 

• Security professionals should understand and fully align to the organization's mission and vision to more effectively identify risks that could impede the organization's ability to achieve its goals and objectives. 

CORE VALUES 

• Organizational core values can indicate how well ESRM and its emphasis on partnership, collaboration, and transparency might be embraced and supported by corporate culture.

OPERATING ENVIRONMENT 

• It is essential that security professionals understand the environment in which the organization operates to assess risk. 

STAKEHOLDERS 

• Security professionals should understand the organization's stakeholders and what's important to those stakeholders.   To identify risks that could undermine the organization’s strategy, security professionals must fluently understand it—especially its mission and vision. The more security professionals know about their organizations, the more effective they are at supporting their missions and visions.  

Products & Services 

• A clear understanding of the services and products provided by the organization is essential for building relationships with asset owners and stakeholders and for risk identification and prioritization.   

Leadership & Key Staff 

• Knowing key staff and leadership along with the organization’s operating structure will allow the security professional to smoothly navigate throughout the organization and find and build key relationships. 

Legal Requirements and Regulations 

• It is critical to learn legal requirements and regulations that impact the organization and that the organization must follow whether directly related to security or not.

Strategic Plans 

• Long-term strategic plans and goals are the roadmap for the organization and being fully aware of both will help the security professional support their management partners and make decisions that will enable the organization to reach its goals.  

An organization’s core values frequently go beyond making a profit and increasing shareholder value. They often define the organization's culture and may include things like: 

• environmental stewardship 
• the community 
• employee safety and security p
• product quality, brand, and image protection 
• new product development   

When evaluating values/culture, consider the following:

• How does the organization handle change? 
• What is the organization’s risk tolerance/risk appetite?
• Are some business units more open to working with security than others? What do employee surveys indicate for value, culture, and change?
• Is there effective communication with all stakeholders in the organization
• What are key motivators for the organization?  

Strategically linking ESRM to the organization’s core values and specifically mentioning them in security strategy and messaging should ensure alignment with the priorities of top management.   

To assess risk and build relationships, security professionals need to understand the operating environment in which the organization functions.

This environment includes physical, nonphysical, and logical. 

Physical 

The physical environment includes much of what influences traditional security factors such as:

• type of location, building, and surroundings • amount of pedestrian/vehicular traffic
• the nonemployee access required
• industrial control systems
• criticality and sensitivity of processes and assets on-site
• products on hand or warehoused
• Increased knowledge of the services and operations of the organization enables the security professional to be accepted as a trusted advisor.

Nonphysical

Nonphysical factors include

• geo-political environment
• external pressures on the industry
• legal/regulatory/compliance requirements
• intensity of competition
• growth mode of the organization
• speed required for decision making
• impact of technology
• complexity of on-going change including leadership

Logical

Logical factors include the organization’s various information types. It also includes digital assets and the network or digital space that connects them to each other and to stakeholders.

Examples of this are

• servers
• workstations
• network infrastructure
• Increased knowledge in the logic area is essential for working with and advising on related risk to the organization.

Anyone who directly interfaces with the organization may be considered a potential stakeholder. They may impact and/or be impacted by the organization, its assets, or its personnel. Security professionals should know stakeholders of the organization and understand what is important to those stakeholders. Knowing what is important to stakeholders enables the security professional to better advise and consult with stakeholders and assist them in formulating mitigation strategies for security and related risk.

Stakeholders could include:

The Leadership Team

• The leadership team, Board of Directors and anyone who sets strategy for the organization.

Asset Owners

• Asset owners of tangible and intangible assets are the key partners in ESRM for the security professional.

Individuals working for or on behalf of the organization

• Individuals working for or on behalf of the organization are also stakeholders, some of whom may be key allies in managing security risk. Some of these may be intangible asset owners like procurement, human resources, legal, or marketing.

Individuals who contribute knowledge to the organization

• Individuals who contribute knowledge to the organization or support the organization are stakeholders with whom the security professional will need to engage. These individuals could include suppliers, distributors, consultants to the organization, or auditing firms.

Clients and Customers

• Clients/customers of the organization are also stakeholders impacting risk management. These may include distributors, resellers, retailers, and direct customers.

Local Community

•  Often overlooked as a stakeholder is the community surrounding the organization’s operations. Organizations can impact the surrounding environment, traffic, noise, and economy. There are joint risks that affect both stakeholders and the organization and partnering with surrounding communities may help reduce risk.

Stakeholder support is critical to the successful adoption of ESRM. It is important to identify them, engage them, understand what is important to them, and align with their priorities. Once security professionals understand the priorities of the organization’s stakeholders, they can better support them in achieving their objectives. Creating supportive relationships is critical in an ESRM environment.

Note that understanding stakeholders does not necessarily mean harmonizing their interests, but rather understanding their needs and their risk insights to better facilitate the ESRM process. 

 Security professionals with a thorough understanding of the organizations they are protecting are well-positioned to successfully adopt and implement ESRM within their organizations. To ensure sustained longevity and success, there are four other critical concepts to incorporate. 

Called the Foundation of ESRM, its four components are

• Holistic Risk Management
• Partnership with Stakeholders
• Transparency
• Governance

Two types of transparency are particularly relevant from the perspective of ESRM.

Risk Transparency

• This suggests that security professionals should represent risks based on their understanding and expertise in a clear, open, and honest way. Risks should be represented exactly as they are, not exaggerated nor minimized. To ensure this, security professionals are encouraged to use objective statements, quantitative analysis, and quantifiable metrics as much as possible.

Process Transparency 

• This suggests that security professionals should ensure that asset owners and stakeholders understand the organization’s security risk management process and each step of that process as security professionals guide them through it. In most organizations, there is no value in keeping this process confidential. In fact, sharing openly about the value of the process and each step as it is performed typically increases engagement and buy-in among stakeholders.

Other aspects of security risk management that security professionals are encouraged to share with asset owners and stakeholders include:

• Current and planned security measures
• The reasons for those measures
• Any other relevant decision makers
• Other mitigation options that may be considered
• Final decisions on risk mitigations  

Governance refers to the rules and processes by which a function or organization is governed. Governance helps to effectively manage expectations and improves clarity and consistency. Governance also ensures that efforts across the organization ultimately satisfy the needs of the organization.

Two types of governance are particularly relevant from the perspective of ESRM. 

Organizational Governance

•  This is the system by which an organization is directed and controlled.  Organizational governance typically addresses the role of top executives and the board of directors, the need for audit and oversight, the rights and responsibilities of stakeholders, and procedures for decision making.

ESRM Governance

•  This is the process of setting enterprise security risk policy and direction, allocating resources, and ensuring compliance. ESRM governance is a subset of corporate governance and is modeled after organizational governance.

The ESRM Cycle is the part of the ESRM approach that describes how security risks are to be mitigated.  This cycle is like other processes available in the security industry. Perhaps its most defining characteristic is its emphasis on understanding organizational assets and involving asset owners in the risk management process.   

The ESRM Cycle includes four processes:

•  Identify and Prioritize Assets
• Identify and Prioritize Risks
• Mitigate Prioritized Risks
• Continuous Improvement    

Please give us a call for additional information, or to schedule an onsite consultative visit.

                                                                                                             Top Of Page