ESRM Security Philosophy: A View from the Top


ESRM Security Philosophy: A View from the Top

It was great to hear security industry thought leader Brian Allen, Chief Security Officer at Time Warner, and his colleague Rachelle Loyear, Director of Operational Business Continuity Management, discuss Enterprise Security Risk Management (ESRM) at the Spring ASIS International Conference in New York City.

The philosophy of Enterprise Security Risk Management, an integrated model, can address important concerns for private sector entities when it comes to communication and role clarity challenges. This is no small matter. Integration of this process into company culture will help make companies, particularly large companies, be more nimble and agile in responding to organizational threats. Allen and Loyear discussed their partnership, and philosophy, in managing through a crisis within their respective roles.

Key takeaways from the discussion:

  1. When managing through a crisis understand the business issue you are trying to solve (technology, customer, financial).
  2. When an incident occurs, which members of your enterprise team are at the table and what does ongoing, sustained communication look like with business partners? 
  3. Small controllable table-top exercises are a good way to bridge gaps and build a crisis management team. Know the difference between an incident and a crisis. Also, know when to get your Cyber Response Team involved or when to elevate the concern to your Executive Cyber Response Team.
  4. Security awareness programs are needed in all organizations large and small.
  5. Have a “considerations checklist” versus just an execution or incident response plan checklist. Think about the most important considerations for your business when responding to a crisis (cyber, natural disaster, active shooter). This allows more flexibly in responding to an incident in a world where we can’t plan for everything. 

Essentially, the security leader’s role in managing a crisis is the same in any crisis management concern. This is a simple statement, with many nuances, when it comes to managing a data or cyber crisis. 

Jessica Robinson, is a writer and Founder & CEO of PurePoint International. She has worked with a top 40 company and with the 2015 US Open. As a security & risk management expert and outsourced CSO (Chief Security Officer), she advises and consults with small and medium sized businesses on cyber prevention and response. Learn more at

The PurePoint Blog, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *