‘ESRM Approach to Security Digital Transformation’ with Rachelle Loyear

In Florida, USA, at this year’s Global Security Exchange (GSX), Rachelle Loyear (RL), Tim McCreight, CPP, John Petruzzi, CPP and David Feeney, CPP discussed Enterprise Security Risk Management (ESRM) and digital transformation. Rachelle joins Human Risks (HR) to share her findings from the event. She explains how complete digital transformation of security is a matter of when, not if. Rachelle Loyear is Vice President of Innovation and Product Management at G4S Americas. She has spent her career managing programs in corporate security organisations. Focusing strongly on Security Risk Management, Rachelle has been responsible for ensuring enterprise resilience for both physical and cyber risk. In 2017, she released the book ‘The Manager’s Guide to Simple, Strategic, Service-Oriented Business Continuity’, and is a co-author of the 2018 book, ‘Enterprise Security Risk Management: Concepts and Applications.’

Rachelle ASIS.jpeg

1. HR: How can the ESRM approach help organisations create a more streamlined and connected security program?

RL: I think the main point that helps build more streamlined and connected security programs, when you take an ESRM approach, is that all of the security solutions we put in place are agreed to by our security asset owners and stakeholder partners. This means that we have the opportunity to discuss all of the necessary security measures with everyone. We can then align the needs across the Enterprise instead of having one-off projects that may, or may not align. Doing this allows us to provide greater benefit and the maximum mitigation to protect the most assets with only the truly necessary mitigation tactics.

2. HR: What does digital transformation really mean in tangible terms for Security Risk Managers?

RL: In a way, I think that digital transformation at this point in time is individually what each security risk manager is going to make of it. The amount of risk and change that can be accepted within the tolerances of our organizations is going to drive the kinds of digital strategies and transformative activities that we undertake.

Some organizations might find it a difficult project to merely digitize a paper process for check-in. They may have some trouble accepting the change of digitizing a logbook for security activities, for example. And that is simply an activity of taking a paper process and putting it into a computer form, not a major transformation. Some organizations might have a much higher appetite for change, even if that change brings about risk because it creates opportunities for gaps to appear. Therefore, I think as we digitize, organizations are going to have to find the level that works best for them. As the future comes and more and more things are online and are connected to the network, this is going to get more complicated. All of our security colleagues are going to have to be aware of this complexity and manage these environments within the rubric of their Enterprise Security Risk picture and comfort zone.

3. HR: What top three tips can you offer to help ensure a good end-user experience from an ESRM digital and tech perspective?

RL: User experience is something that technology companies talk about a lot. Simply digitizing a process, or putting something online doesn’t always make it easier. Sometimes it makes for extra steps, such as more logins or passwords that you have to remember. I think it’s important as we digitize things to keep that in mind and make sure that we are not making the employee, customer, or vendor experience of working in our security environment a poor one.

I think the top tips that I would offer for maintaining this user experience align very well with what management would already be doing in a risk-based security program. The first one being: work with your business partners to make sure that you’re solving their actual problem. Make sure you’re mitigating real risks to their assets in a way that they agree with. If we’re working with the business we’re going to understand what the business can and cannot accept in terms of the mitigating tactics – the services that we provide and the processes that we put in place. That will help us to understand what they can accept and how that can make the experience better for the end-user.

Second, I often give the advice that developing security activities and functions using a design thinking approach will go a long way to ensuring a good user experience. To this end, interview the people who are going to be interacting in your security program. Talk to them about your needs, explain the ideas of what needs to happen and what has to be done for an optimized security environment. That way you can collaboratively come to an agreement about how this can both mitigate the risk, and allow people to function well in the environment. Additionally, with design thinking it’s an interactive process so accept that you’ll get feedback along the way. This can make whatever program that you’re putting in place much better as it evolves. Using design thinking is definitely a way to enhance the user experience of the final security program that you put in place.

I think the third and final tip goes along with the first two, which is to be flexible. Sometimes the first way that you think of doing something may not be the way that works for everyone. It’s really important to be able to pivot and change in response to identified needs and also changing environments. By doing so you can make sure that you’re always in line with the current needs of the business – whether you’re enacting new processes, or merely moving older processes into a digital environment

4. HR: What key concerns should Risk Managers be aware of when transforming and updating existing programmes, from an ESRM perspective?

RL: During the session, Dave Feeney talked in depth about the ‘five whys’ concept. I think that this is one of the ways in which we can dig into the concerns and figure them out. As we are transforming programs and processes, perhaps the first questions that we should ask ourselves are, “Why was this process being done in the first place? Why does that asset require protection? Why are we concerned about the ramifications of harm to that particular asset? Why do the people who need access to that asset need access to it?” These are just examples of some of the ‘why kinds’ of questions you could ask as you dig into the process that’s being transformed.

Anytime you have the opportunity to transform a process it’s great to start from scratch in the ESRM cycle. For example; what are the assets? What are the risks? How do we best mitigate those risks and does the business agree? You may be able to answer all of those questions, if so – great! That means we’ve looked at the security concerns we need to consider. It may be that after asking all those questions the organization might find that it’s not a good candidate for a process for digitization. They might even find out that they don’t need that process at all anymore! One of the key things here is not to be too attached to the idea at the beginning. That way you can step back to the previous answer, re-assess and be flexible in how you reach the outcome that you’re trying to meet.

5. HR: How can technology platforms help support the Businesses Continuity and ESRM process?

RL: One of the things that technology tends to be very good at is automating the process of keeping track of things, and automating processes of reminding humans of the things that we forget to do. When it comes to risk management, resilience and continuity there are technology platforms that can help us document and track all of the pieces and parts of the risk management cycle; asset lists, stakeholder lists, risk registries, mitigation lists etc. Platforms can tie them all together and help us understand how often we’re reviewing and updating them.

Now, these technology platforms can’t help us to build the collaborative relationships that we need to. Nor can they help us identify our partners, or decide together what the best mitigations are. Technology is a facilitator of these things and platforms can really help us organize ourselves around them. In other areas of security, technology can automate and speed things up. Technology can also help us to do the repetitive things that humans often find it difficult to focus on. Specific to risk management, I think having a system that helps you organize and identify all of these things can certainly make things better and more efficient.

6. HR: When it comes to enterprise resilience, what are the common challenges you find organisations face? Do you have any advice about solutions for those challenges?

RL: I think resilience is such an enormous topic that sometimes it’s overwhelming before you even get to start. That’s why following an ESRM cycle – or honestly, any kind of organized way of thinking about these things, really helps to overcome those challenges. When we’re looking at something as large as Enterprise resilience, it helps to be able to break it down. This can include cycles such as the ESRM one, where you make clear steps toward identifying assets. From there you work through each of those assets to identify risks. The next step would be to work through those risks to identify which ones should be mitigated, and how. By approaching the process in this way you’re taking it one bite at a time and working on one project at a time. This makes it a little bit easier to figure out exactly what you need to be doing.

As you solve challenges for actual Enterprise resilience, the actual resilience challenges need to be met on an individual basis and tailored for your organization (because every Enterprise is so different and we all function in very different ways). I’d therefore hesitate to give anybody any blanket resilience answers for themselves without knowing their specific situation.

7. HR: How have you found the Security Risk industry has changed for women from the start of your career until now?

RL: Well, I used to joke that one of the big benefits of being a woman in security was that whenever I went to an event there was no line at the bathroom.

I think that’s changed a bit, certainly. There are many more women in security now than when I first started. Just walking around at GSX this year, I see the gender balance of our industry is certainly shifting. I saw more women speakers, more women represented in the exhibit booths and more security colleagues walking around the floor.

The Women In Security (WIS) community was quite active at the GSX show this year, and that was nice to see. It’s great to be able to engage with colleagues who have similar experiences to mine. To get their points of view on how they navigate the politics of the organizations that they function in.

I can’t say that I think it’s necessarily easier to be a woman in security now than it was when I first started, because I wouldn’t call security an easy industry to be in. However, in my experience, the fact that I am a woman seems to be less of a “factor” in my interactions in this space than it once was.

8. HR: How can organisations improve their connectivity and workflow potential by using digital platforms for risk-based decision making?

RL: Tech platforms simply make it easier for us to keep track of all of the information that we need to organize for this kind of decision-making. A good platform also helps us report on them. It will help us to understand and develop tracking mechanisms for where we’ve been and where we’re going. I think it depends on the kind of organization you are. If you’re a small organization with very few assets and not too many stakeholders, you might be able to keep track of all this stuff in a spreadsheet. Yet the more complicated things get and the more moving pieces and parts you have, well sometimes it’s just easier to have a tool designed specifically to help you with that

9. HR: What were the key insights and learnings from your GSX presentations today?

RL: I really enjoyed the presentation on digital transformation today. I think I’d like to point out two things really. One of the focuses that John Petruzzi had was on the employee experience. It’s critical in organizations where we are supposed to be serving and securing the organization to make sure that we are serving the entire population of that organization. We cannot sacrifice a good interaction experience on the altar of expedience, or restrictive security. Now, of course, sometimes providing safety and security does also provide a little bit of inconvenience. However, if we try we can often find a happy medium to make sure that employees do not bear the brunt of the security mitigation tactics.

The other thing I would like to mention was Dave Feeney’s focus on identifying the necessary outcome of our project, rather than focusing on the project itself. This goes along with the ESRM model of always making sure that you’re serving the business. Try to focus on the outcome first instead of the product, or service that might be under discussion, or back to our digitization example the process that you’re looking to digitize. If you focus on the outcome that you’re trying to achieve you will find far more options available to you. This approach is preferable over working backwards from, ‘I want this product or service in my security program’.

10. HR: How can we collectively join forces to support the growth and development of the Security Risk industry?

RL: Well, I think we’re already doing that at events like GSX, by being members of the ASIS communities online, by being part of membership organizations such as SIA etc. Or, as myself and many of my colleagues do by participating in social media – posting our thoughts on LinkedIn, participating in conferences and webinars. Continuing to share our experiences and knowledge is the way forward. I think that is how we come together and make security better.

Thank you very much Rachelle for sharing your wisdom and insights with us.

To find out more about Rachelle’s work, click here.

Read more?

We can help you today

If you want to see what the Human Risks platform can do, for your company.  Contact us today