The New Enterprise Security Risk Manager

Transcription

1 SETRACON INC. Committed to excellence in Security, Training, and Consulting Services The New Enterprise Security Risk Manager Jeffrey A. Slotnick, PSP, CPP President Setracon Inc. Partner in OR 3 M Copyright August 2012 OR3M, LLC and Setracon, Inc. Do Not Reproduce Without Permission

2 Key Questions How do I manage Change? What is Resilience? And Why Should I Care? What is it costing me if I do not have a resilient organization? How do I do it? What is my role? How do I make the case around success?

3 Question #1 HOW DO I MANAGE CHANGE? CHANGE AGENT OR STATUS QUO?

4 It doesn t have to be dangerous LEADING CHANGE

5 The two extremes: Innovator as enemy and the non-contributor Machiavelli The Dodo But what if there is another choice?

6

7 The Next Generation of Security SO WHAT IS CHANGING?

8 Your Needs are Changing How do you measure your performance (Value)? What are the core processes that drive performance (Value)? What constraints do you have in getting to a Common Operating Picture and Coordinated Response? How do you manage your critical risk and security documentation? How do you manage changes to those documents? How do you distribute and communicate these changes? How do create a learning organization and information architecture to create Continuous Quality Improvement and Continuous Compliance?

9 Standards are Creating Change ORM is a mandate for change

10 The Organization Integration Challenge Organizational Silos are Creating Change Federal Agencies Board of Directors Human Resources Executive Protection State Agencies Executive Management Teams CISO Incident Management Local Agencies COO CSO Physical Security Investigations NGO CFO Risk Officer Security Technology Your organization needs direction to extend their value

11 The Information Integration Challenge Data in Silos are Creating Change Physical Access Control Systems (PACS) Video Surveillance Communication Interoperability Platforms Incident Reporting Door Technology Video Management VOIP and ROIP Data Visualization Identity Management Video Analytics Intercom Performance Reporting (People, Processes, Technology) Intrusion Detection Video Storage and Retrieval Smart Phones Forensics and Prosecution Complexity is not an answer

12 The Value Stream of Security* If we understand our process, we find the answer Security Operation s Path to Value *A white paper available on the OR 3 M, The Sage Group, or ASG website

13 Time to Act YOU KNOW, NOW YOU DO

14 The Security Management Role No longer solely in the domain of Guards and Physical Security. The Security Function now impacts all aspects of the enterprise! Now includes having a comprehensive management systems approach. For prevention, protection, preparedness, response, mitigation, continuity, and recovery for disruptive incidents resulting in an emergency, crisis, or disaster. (ANSI/ASIS SPC )

15 Emergency Preparedness Critical Infrastructure Protection Security Management Emergency Management Resilience and Risk Management Physical Asset Protection Security Risk Management Incident Response Crisis Management Recovery Management

16 Question #2 WHAT IS RESILIENCE & WHY SHOULD I CARE?

17 What is Resilience? Resilience: the adaptive capacity of an organization in a complex and changing environment. Helps avoid segregating or creating risk silos. Is Communicating at the top enough?

18 SETRACON INC. Committed to excellence in Security, Training, and Consulting Services Resilience: An Integrated Approach

19 Resilience: Definition Resilience is an organization s ability to quickly, efficiently, and effectively adapt to a change such as disruptive events (natural, intentional or unintentional), by implementing adaptive, proactive and reactive strategies.

20 1. Organizational Resilience: Key Elements Risk The business must be able to adapt quickly to changing conditions Our job is to help them prepare in advance for those changing conditions Optimization leads to Efficiencies leads to Cost Control By engaging ORM you will see the duplication of effort in your people, processes, and tools that will save you money Value By embracing ORM we understand the core processes that drive our business, because, in the end, that is what we are protecting. Security is a present and future business enabler

21 The Resilient Organization Resilient organizations: Can adapt and respond to changes to enhance their survivability and sustainability. Can resist being affected by an event or have the ability to return to an acceptable level of performance in an acceptable period of time after a disruption. Sustainability: the capability of a system to maintain its functions and structure in the face of internal and external change and to degrade gracefully when it must.

22 Benefits of Resilience Fewer surprises. Exploitation of opportunities. Improved planning, performance and effectiveness. Economy and efficiency. Improved stakeholder relationships. Improved information for decision making. Enhanced service delivery and reputation. Accountability, assurance and governance. Corporate longevity.

23 Internal Interdependencies Chief Operations Officer Chief Information Officer Chief Administrative Officer Chief Technology Officer Security Manager Chief Financial Officer SCADA Manager Legal Risk Manager Human Resources

24 External Interdependencies Physical Logical Enterprise Impacts Cyber Geographic 1 Source: Rinaldi, Peerenboom, and Kelly (2001)

25 Complexity is not our Friend Utility Interdependency Example

26 SETRACON INC. Committed to excellence in Security, Training, and Consulting Services The Cost of Not Being Resilient

27 Quantify the Cost of Failure We all know what failure looks like from past events. Hurricane Katrina 2005 Haiti Earthquake 2010 Chile Mine Explosion and Collapse 2010 Icelandic Volcanic Ash 2010 Gulf Oil Disaster, 2010 Tohoku Earthquake and Tsunami 2011 But do you know the financial impact of disaster in your business? We cannot manage what we cannot measure!

28 Identification of Event Impacts Loss of Revenue Stream Loss of Public Confidence Loss of Civil Order Loss of Life Loss of Personnel Loss of Supply Chain Loss of Utility Loss of Facilities Loss of Finances Loss of Communication

29 Key Definitions Preparedness (formal) the fact of being ready for something : the state of being prepared Proactive (formal) relating to, caused by, or being interference between previous learning and the recall or performance of later learning acting in anticipation of future problems, needs, or changes

30 Capacity for Risk Risk Capacity is measured by many things Financial Resilience Supplies on hand Resource Availability Communication Capability Business Intelligence

31 Prevention Protection Preparedness Mitigation Response Recovery A Strong Foundation for Managing Risk Organizational Resilience Adaptive, Proactive & Reactive Strategies Risk Assessment and Impact Analysis Organizational and Supply Chain Context of Managing Risk

32 Finding Balance Likelihood Consequences To cost-effectively manage risk, balanced strategies must be developed that adaptively, proactively and reactively address minimization of both the likelihood and consequences of disruptive events.

33 SETRACON INC. Committed to excellence in Security, Training, and Consulting Services The Value of Resilience

34 The Difference between Success and Failure

35 High Risk and High Success Event Start New Normal Event Duration High Level of Preparedness High Capacity for Risk Business Survives

36 Question #3 HOW DO I GET THERE?

37 W. Edwards Deming Continuous improvement requires that good data be collected Without accurate data, how can anyone tell if things are getting better or worse? Create constancy of purpose towards improvement Of product and service, with the aim to become competitive, stay in business, and to provide jobs Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change.

38 Collecting Information 2. Constraints? Managing Information Measuring Information Leveraging Information

39 3. What Should Technology Provide? We needed a single information warehouse and communication hub. A portal that can be cloud based or on premise Manage appropriate information that would be contained in the warehouse. Best Practice Rules for categorizing data, creating a workflow for approving and changing data and communicating or sharing data.

40 3. What Should Technology Provide? We needed a way to measure the results of our efforts. Automatically generated and custom designed reports to meet analytical needs We needed a way to leverage the data A new global reach and authentication method that allowed anyone in the world to access the right information, at the right time in the context of their need

41 The Challenge Unity of Effort is the product of Unity of Purpose A Common Operating Picture is the product of a Common Planning Picture.

42 How do we get there from here? 1. Create a Vision and Paint a Picture 2. Detail what success looks like 3. Create metrics to quantify success 4. Understand you can t eat a whole pie at once but you can enjoy each bite. 5. Keep your eye on the long term 6. Celebrate your successes 7. Maintain Momentum by Communicating, Planning and Reaching for the Next Step One step at a time

43 PDCA or APCI Model Plan (Assess) - Do (Protect) - Check (Confirm) - Act (Improve) Plan Define & Analyze a Problem and Identify the Root Cause Act Standardize Solution Review and Define Next Issues Do Devise a Solution Develop Detailed Action Plan & Implement It Systematically Check Confirm Outcomes Against Plan Identify Deviations and Issues

44 Summary The New Security Executive will replace the Old One A Choice must be made It is not about Security; it is about Creating the Resilient Organization for Business Performance We have defined resilience in a new way We have shared with you through our experience the constraints we have faced performing and sustaining resilience efforts We have provided you with a vision of how to use Commercial-Off-The- Shelf (COTS) portal technology to drive resilience performance We are creating a new definition of integration Using a Methodology is critical and it starts with the right assessment, followed by the right plan.

45 References Chief Security Officer Standard ASIS CSO Organizational Resilience: Security Preparedness, and Continuity Management Systems-Requirements with Guidance for Use ASIS SPC Data Management and Organizational Resilience by, Jeffrey A. Slotnick PSP, CPP

46 Questions? Thank You Jeffrey A. Slotnick PSP, CPP