ERM Demystified

Chase Farms in Walkerville, Mich., didn’t plan to turn video surveillance into a risk management tool; it just happened.

The agricultural producer originally set out to watch over a seasonal work force by positioning Internet protocol (IP) cameras wherever they were needed. Because the cameras recorded the pace and volume of each day’s harvest and processing, the number of laborers working specific fields and the number and frequency of truck pick-ups, Chase realized the cameras were providing a wealth of information it could use to more efficiently manage business operations.

With quantifiable numbers, Chase could better anticipate labor requirements, match shipments to hourly volume, reduce waste, increase safety and compliance and train new workers faster. Savings from all of these improvements plummeted to the bottom line. Beyond reducing Chase Farms’ exposure to theft and other physical security vulnerabilities, the process contributed to measurable reductions in workplace accidents, emergency response time, and product spoilage and loss.

Security tools such as video cameras, management software and analytics applications once perceived as purely surveillance tools now have a key role in managing corporate risk, says Eric Fullerton, president of the U.S. office for Milestone Systems A/S, Brøndby, Denmark, which supplies video management software to Chase Farms.

Enterprise risk management is one of many buzzwords bandied about the executive suite these days. Because it is often an illdefined term, it can be intimidating to chief security officers who suddenly find themselves part of an ERM initiative emanating from the corporate board. In truth, once launched, ERM is a fairly simple process.

Most companies have ERM principles in place, although they may never have been identified or qualified as such. Nonetheless, a sudden directive from the executive suite, accompanied by few details, that department managers collaborate on an ERM plan can add pressure and confusion.

But it shouldn’t be overwhelming.ERM might be the new watchword of the day, but it is what security has done for years, says Bob Hayes, managing director of the Security Executive Council, a Marietta, Ga.-based professional association of CSOs. ERM is about protecting the assets of the corporation. What’s new is that, because of compliance laws designed to protect corporate shareholders such as the Sarbanes-Oxley Act, ERM has senior management attention.

“A lot of this was done internally, but it didn’t go very high in the organization,” Hayes says. “Now it has to be reported and monitored by the board.”

A Convergence Driver

ERM also goes hand-in-hand with convergence. First, there’s convergence from a management perspective. Once senior managers get involved, they look at how security operations can be applied to a broader ERM strategy that takes in finance, information technology and even marketing and branding.

“What’s changing is that the board and executive management are looking at all hazards and all risks and asking for a plan that handles all,” Hayes says. Business continuity, disaster recovery, emergency planning, supplier disruption planning, weather emergency planning and crisis management planning, which may all have once been independent processes, are unified under one plan.

This process is not much of a shift for CSOs in the Fortune 1000, Hayes says, but for some in the “Fortune 50,000,” it can be very different. “It’s new for companies that have never done this before,” he says.

Broader Role For CSO

For security professionals, ERM presents new opportunities.

“The CSO needs to assist in crafting a security policy plan,” says Mario Sanchez, chief security architect for Hewlett- Packard’s ProCurve unit, Palo Alto, Calif.

Questions of risk must be viewed from a holistic perspective that addresses both the protection of tangible assets -- people and property -- as well as intangibles such as brand equity. “It’s a process, not a product,” Sanchez says.

John Szczygiel, president of Mate Inc., McLean, Va., the U.S. subsidiary of Israel’s Mate Ltd., agrees. “ERM forces a CSO to put the security investment in the context of a number of possible risk responses,” he says. Those responses cross IT, human resources, financial and legal departments.As a result, risk becomes more broadly defined, Szczygiel says.

Szczygiel, who is also vice chairman of the Open Security Exchange, a cross-industry forum promoting platform interoperability, says another change is that many CSOs now must create a business case for their investments.

That means assessing the impact of a negative event, delineating methods to handle the risk and articulating the cost. Szczygiel offers key questions: “What’s the right place to protect? Where is the risk to expose? Can you weigh business objectives against the corporate risk appetite?”

A CSO who can supply a board with the answers to these questions can end up being elevated to a position where he or she is creating solutions that allow the business to expand, Szczygiel says. He advises CSOs not to view the business case requirement as just a layer of overhead but as an opportunity to work “elbow to elbow as a partner” with other executives in creating and protecting value for the company and its shareowners.

Coverged And Open

Along with organizational convergence comes technology convergence. ERM arguably would not be possible without the convergence of physical and logical security.

“When people talk about ERM, even without realizing it, it turns into a convergence discussion,” says Fredrik Nilsson, general manager with Axis Communications Inc., Chelmsford, Mass., the U.S. unit of Sweden’s Axis Communications AB.

The integration of physical and logical security stimulates a process that is greater than the sum of its parts. IP integration allows CSOs to network surveillance, access control and system sensors to derive information that can be used to create more business value and efficient operations.

Data from converged systems also enables better risk identification, evaluation and management.This in turn leads to additional IP integration of security systems. It’s a virtuous circle.

It’s almost a given that there is a robust IP network within the enterprise to support convergence, says Nilsson, who argues using IP-based products is the best way to manage security convergence. “It’s the only way to ensure the operation is keeping current with technology evolution,” he says.

Milestone’s Fullerton emphatically agrees. “A CSO must choose a truly open platform to get best-of-breed. No one today knows what the best piece of equipment will be tomorrow,” he says. “That’s why it’s important to choose an ecosystem with partners that play together.”

“They must be able to incorporate the benefits of new technology when it comes along,” adds Fred Wallberg, director of marketing for the Americas at Milestone.

SEC’s Hayes, however, advises end users not to get too caught up in breathless vendor pitches. They still should consider costs, and even a sound ERM program doesn’t necessarily call for a forklift overhaul.

“Would I put in an all-new system for that reason?” he asks. “No.”

Hayes advises that CSOs begin with systems that help them assess the threats they face and how they are prepared to handle them. “I think there are products that will help,” he says.

Analytics And Other Tools

Hayes is referring to analytics and situation awareness tools, which sit on top of a security system and gather information that can be analyzed and mined for security weaknesses and vulnerabilities. Users then set policies and procedures via the software that identify and confirm a threat or emergency and ensure a proper response. Vendors include Orsus, New York, and Or Yehuda, Israel; ioimage, Herzliya, Israel; and Mate.

Analytics and forensic tools also can help strengthen the all-important value proposition, says Divr Doron, vice president of marketing for ioimage. Analytics, he says, provide statistical information for aggregating types of threats and their causes, a key ERM data set. “It is instructional in providing information patterns -- high-risk sites, highrisk time frames,” Doron says.

This approach can be especially effective in achieving cooperation and buy-in from IT security counterparts, who already are accustomed to making procurement cases through identification and cataloguing of events, adds John Whiteman, ioimage’s vice president and general manager for the Americas.

“The equipment a CSO has becomes more valuable to the organization. All of a sudden you can extract value from that,” says Rafi Bhonker, Orsus’ vice president of marketing (see “Finding Danger in the Data,” April 2008). Situation management systems allow CSOs to map the risk concepts, he says.

“The platform takes the ERM concept and implements it in a way you can use,” Bhonker says. Consultants are big on the “book” -- the binder that describes top to bottom security policies -- but in the heat of the moment, Bhonker says, “no one’s going to open the book.”

Stay On Target

Threats and vulnerabilities are always changing. That’s why CSOs must work to understand not just security issues purely related to physical protection but also the larger risks their organizations face. Security at a defense contractor or pharmaceutical company might be excellent at stopping trespassers or blocking a denial of service attack but fail to recognize other threats.

“The threat landscape is more professional,” ProCurve’s Sanchez says. “Attacks are elegant and finessed.” For example, someone may use a password-guessing program to log on to a corporate network, or they may simply try to walk off with a laptop or flash drive left in an unsecured area.

“People are after information, not to take down the network for the sake of doing it,” Sanchez says. “It’s important not to remain stagnant in the ever-changing environment.” But there’s no reason this should happen, Bhonker says.

Because of ERM, enterprises are making security a strategic part of the organization. “ERM is an issue to everyone,” he says. Certain verticals -- transportation, seaports, airports, railroads -- are ahead of the curve because of their high-profile vulnerability. But ERMdriven convergence is visible in the growing trend of end users investing in interoperable video, access control, radar, infrared systems, emergency notification, analytics and situation management.

“Two years ago, no RFP addressed this,” Bhonker says. “Now there are RFPs that are very specific as to how the end user wants all their technologies to work in a coordinated manner.”

Featured

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

Featured Cybersecurity

Webinars

New Products

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3