Resolver Inc., profile picture
Uploaded byResolver Inc.
PDF, PPTX491 views

The Security Practitioner of the Future

The document discusses Enterprise Security Risk Management (ESRM) as a holistic approach to managing security threats within an organization, emphasizing continuous improvement and leadership in the maturity assessment process. It outlines key objectives for learning and development in organizations, focusing on developing technical skills and supporting employee career growth while also measuring the impact of training on business outcomes. Additionally, it addresses risk-based decision-making and the importance of aligning security initiatives with organizational goals for effective risk management.

Embed presentation

Download as PDF, PPTX
I am a Security Learning & Development Professional @dennisshepp dennisshepp@shaw.ca
& ESRM
▪ ESRM = Enterprise Security Risk Management ▪ “A management process that creates a consistent and holistic approach to managing threats to any organization through an ongoing process of assessing all security-related risks across the entire enterprise.” ▪ “ESRM process ensures that any new risks that treated in the same way.” ▪ “A process of continuous improvement.” ASIS International CSO Center (2014), Accessed March 2017: https://cso.asisonline.org/esrm/Pages/default.aspx
LEADERSHIP Learning & Development Business Enabler Performance Measurement Return on Inve$tment QUALITY IMPROVEMENT
Is your organization “mature” enough to adopt ESRM?
Sally Godfrey (2008) “What is CMMI?” NASA presentation. Accessed: Feb 21, 2017.
Cindy Blake, HP’s Enterprise Security Products Group, (2013), “Key Security Investments for 2013… and Beyond”, Accessed March 15, 2017: https://community.hpe.com/t5/ Protect-Your-Assets/Key- Security-Investments-for- 2013-and-beyond/ba- p/5929243#.WMmJbhLysfw
▪ How to Conduct a Maturity Assessment the Six Sigma Way: ▪ ASSESS – ANALYZE – ADDRESS ▪ ASSESSMENT reviews 12 Lean Six Sigma parameters. ▪ Process provides a checklist. ▪ Key element: LEADERSHIP! Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity- assessment/
Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity- assessment/ Lean Six Sigma Parameters Compared to Organizational Maturity Index
Adapted from Lynn Mattice, CPP & Jerry Brennan, CPP, 2015, “Chief Executive Magazine”, survey results from CEOs “Top 10 Skills Needed for Leadership” (modified).
of L&D pros say that talent is the #1 priority The main objectives of organization’s L&D strategy? 1. Develop managers & leaders. 2. Help employees develop technical skills. 3. Train all employees globally in one cohesive way. 4. Support career development for employees. “2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500 organizations in USA & Canada. Published and accessed online: https://learning.linkedin.com/elearning-solutions-guides/2017-workplace-learning-report
Ass’n for Talent Development (ATD) formerly ASTD, “2016 State of the Industry Report”, https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State- of-the-Industry-Report
“ Does your training (learning & development) program impact the business?
Ass’n for Talent Development (ATD) formerly ASTD, “2016 State of the Industry Report”, https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State- of-the-Industry-Report
1. Reaction What did learners feel about the experience? How was the trainer/instructor? 2. Learning Assessments & testing – did the learners actually learn any skills/knowledge? 3. Behavior Has performance improved at work because of the L&D? 4. Results (ROI) What is the business impact of the L&D?
Adapted Phillips Model (1997) – Training ROI Competency Gap Analysis What’s missing? Develop Training Objectives Learning outcomes must meet missing competencies. Develop Assessment Plan •Develop assessments (testing). •Based on learning outcomes. •Knowledge, skills, & on- the-job testing. Collect Level 1 & 2 Data •Reaction and satisfaction. •Learning assessment & measure learning outcomes. Collect Level 3 & 4 Data •Application. •Business Impact. Data Analysis Convert data to values that impact the business. Level 5: Calculate ROI •Identify tangible costs. •Identify intangible costs. Report Generate impact study & report. Competency Assessment Stage Data Collection Stage Data Collection Stage Data Analysis Stage Reporting Stage
• ASIS International CSO Center (2014), Accessed March 2017: https://cso.asisonline.org/esrm/Pages/default.aspx • “Protective Security Capability Maturity Model”, Gov’t of NZ – Protective Security, Accessed Feb 21, 2017: https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity- Model.pdf • “Metrics and the Security Mindset”, SM Online, December 2016, https://sm.asisonline.org/pages/metrics-and-the-maturity-mindset.aspx • Cindy Blake, HP’s Enterprise Security Products Group, (2013), “Key Security Investments for 2013… and Beyond”, Accessed March 15, 2017: https://community.hpe.com/t5/Protect-Your-Assets/Key- Security-Investments-for-2013-and-beyond/ba-p/5929243#.WMmJbhLysfw • Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct- maturity-assessment/ • “2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500 organizations in USA & Canada. Published and accessed online: https://learning.linkedin.com/elearning-solutions- guides/2017-workplace-learning-report • “Kirkpatrick’s Four-Level Training Evaluation Model”, Accessed March 15, 2017: https://www.mindtools.com/pages/article/kirkpatrick.htm
@dennisshepp dennisshepp@shaw.ca
I am a Director at The Banks Group Inc. @PhillipBanksPE pbanks@thebanksgroup.ca
2. Critical Thinking 3. Risk-Based Decision Making 4. Leading-Practice Implementation 5. Security Optimization 6. Maturity Modeling 1. SMART Training
• Successful & measurable results. • Cost effective, highest achievable performance. • Formalized consideration of risk elements. • Objective analysis of FACTS in all situations. Critical Thinking Risk-Based Decisions Leading Practices Security Optimization
Observations Facts Inferences Assumptions Opinions Arguments Critical Analysis
“A process that organizes information about the possibility for one or more unwanted outcomes into a broad, orderly structure that helps decision-makers make more informed management choices.1” 1Introduction to Risk-based Decision Making – US Coast Guard
Risk Evaluation – Issue or opportunity? Risk Response – Treat, tolerate, transfer, terminate? Evaluate Response Options – Readily or reasonably achievable? Constrain decision bias. Consider – Risk appetite, cost benefit, stakeholders, compliance Issues, reputation. Decision Making – Yes, co or somewhere in- between, now what to do?
“Nothing is less productive than to make more efficient what should not be done at all.” Peter Drucker
Best versus Leading Practice • Best Practice — is a technique or methodology that, through experience and research, has proven to reliably lead to a desired result. • Leading Practice - term used in place of “best practice” where it is inordinately difficult to identify or implement the best practice.
Considerations: • “As-is” environment – observable elements? • What is the problem or issue that needs remediation? • Basis for leading practice? • Implementable at effective cost? • Measurable outcome? • “To-be” environment what will it look like? • Based on what? “As-Is” Leading Practice “To-Be” Leading Practice Elements
1 http://www.thehackettgroup.com/best-practices/
Security Optimization
People – Risk aware and organizationally resilient. Process – Understanding business processes and matching supporting security initiatives and programs. Technology – Flexible, integratable, scalable and measurable security solutions Enterprise Security Risk Management – Security strategies which with a focus on forward thinking, vulnerability reduction, business enablement and sustainable control measures.
Risk Management – focus on protecting an organization’s tangible and intangible assets. Enterprise Risk Management – broader focus than protection of physical and financial assets but also includes enhancement of the business strategy.
Operational Risk Financial Risk Compliance Risk Strategic Risk Reputational Risk
▪ Consistency (documented and repeatable) ▪ Continual improvement (internal audit) ▪ Measurable results (KPIs, benchmarking) ▪ Management commitment ▪ Enhancement of organization (overall) performance enhancement ▪ Systematical risk identification 1ON Semiconductor
Security Program Maturity Levels Corporate security is reactive, uncontrolled, unpredictable & inconsistent. Corporate security is characterized for projects and is often reactive and of variable consistency. Corporate security is tailored for the organization and is proactive. Corporate security is managed, measured and proactive. Risk-based decision-making is practiced across all corporate security activities. Client satisfaction is measured as a KPI. Corporate security is branded and functions on a corporate-wide basis as a valued partner and recognized business enabler.
Initial - Site-by-site difference approach. No success criteria set. Ad-hoc reactive approach. Defined - Corporate and security best practices gathered and translated into physical security corporate goals and requirements. Repeatable – Set requirements formally documented and standardized. Site level gap analysis and action plan. Managed and Measured – Formal PSMS which is measured and controlled. Report and auditing system established. Optimized – Corporate-wide physical security management system and aware workforce. Process improvement and performance measurement focused. 1ON Semiconductor
Do you know where you are? Do you know where you want to go? Can you see the path? How will you know when you get there?
@PhillipBanksPE pbanks@thebanksgroup.ca
▪ An inner-city pharmaceutical production facility will be closing in 3 years and the operations of the facility will be moving to a new off-shore location. Operations will fully continue at the current facility until closing day and threats and risks to the operation’s success will likely not change. ▪ The existing security technology is nearing the end of its useful life and maintenance costs are increasing. Some concerns have been expressed with respect to the security of employees in an area of the city which appears to be declining. ▪ List three primary actions that you would consider critical with respect to the onward security of the operation and safety of the employees.
▪ A security professional colleague has approached you at the local ASIS chapter meeting claiming they understand you have successfully implemented an incident reporting, information and automated communications management system in your company. ▪ He asks if you would share your experiences of how you would recommend he proceed in adopting a CAD, incident reporting system for his company. ▪ Base your recommendations on “Best Practices”, lessons learned and how they really should proceed. ▪ Provide examples of effective measures for SMART training.
▪ What are the primary elements you would select to measure the level of effectiveness of security governance in your organization or company?

More Related Content

PDF
The Intersection of Risk, Security, and Performance
byResolver Inc.
 
PDF
Hello ERM - It's Time to Go
byResolver Inc.
 
PDF
Employee Engagement and Your Enterprise Security Risk Management Strategy
byResolver Inc.
 
PDF
Risk Management Case Study - Applied Concepts
byResolver Inc.
 
PDF
Spreadsheets vs Software for SOX Compliance
byResolver Inc.
 
PDF
Globals - Too Big to Govern?
byResolver Inc.
 
PDF
App Showcase: Retail Loss Prevention
byResolver Inc.
 
PDF
The Risk Paradox: Showcasing the Success of Security
byResolver Inc.
 
The Intersection of Risk, Security, and Performance
byResolver Inc.
 
Hello ERM - It's Time to Go
byResolver Inc.
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
byResolver Inc.
 
Risk Management Case Study - Applied Concepts
byResolver Inc.
 
Spreadsheets vs Software for SOX Compliance
byResolver Inc.
 
Globals - Too Big to Govern?
byResolver Inc.
 
App Showcase: Retail Loss Prevention
byResolver Inc.
 
The Risk Paradox: Showcasing the Success of Security
byResolver Inc.
 

What's hot

PDF
Introduction to Core Assessments
byResolver Inc.
 
PDF
Reporting to the Board on Corporate Compliance
byResolver Inc.
 
PDF
How to Prove the Value of Security Investments
byResolver Inc.
 
PDF
The Journey to Integrated Risk Management: Lessons from the Field
byResolver Inc.
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
PDF
App Showcase: Compliance
byResolver Inc.
 
PDF
Data Driven Risk Management
byResolver Inc.
 
PDF
Relating Risk to Vulnerability
byResolver Inc.
 
PDF
Improve Your Risk Assessment Process in 4 Steps
byResolver Inc.
 
PDF
Int:rsect: CEO Address with Will Anderson
byResolver Inc.
 
PDF
App Showcase: Enterprise Risk Management
byResolver Inc.
 
PDF
Integrated Security & Risk Management: Benchmarking
byResolver Inc.
 
PDF
App Showcase: Internal Audit
byResolver Inc.
 
PDF
The Purpose of Holistic Risk Management
byCorporater
 
PDF
Integrated Risk Management 101
byResolver Inc.
 
PDF
An Intro to Core
byResolver Inc.
 
PDF
Ballot: Risk Assessments Made Simple
byResolver Inc.
 
PDF
Infographic - Critical Capabilities of a Good Risk Management Solution
byCorporater
 
PDF
Creating safety cultures
byPhil La Duke
 
PPS
The seventh value asse show
byPhil La Duke
 
Introduction to Core Assessments
byResolver Inc.
 
Reporting to the Board on Corporate Compliance
byResolver Inc.
 
How to Prove the Value of Security Investments
byResolver Inc.
 
The Journey to Integrated Risk Management: Lessons from the Field
byResolver Inc.
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
byResolver Inc.
 
App Showcase: Compliance
byResolver Inc.
 
Data Driven Risk Management
byResolver Inc.
 
Relating Risk to Vulnerability
byResolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
byResolver Inc.
 
Int:rsect: CEO Address with Will Anderson
byResolver Inc.
 
App Showcase: Enterprise Risk Management
byResolver Inc.
 
Integrated Security & Risk Management: Benchmarking
byResolver Inc.
 
App Showcase: Internal Audit
byResolver Inc.
 
The Purpose of Holistic Risk Management
byCorporater
 
Integrated Risk Management 101
byResolver Inc.
 
An Intro to Core
byResolver Inc.
 
Ballot: Risk Assessments Made Simple
byResolver Inc.
 
Infographic - Critical Capabilities of a Good Risk Management Solution
byCorporater
 
Creating safety cultures
byPhil La Duke
 
The seventh value asse show
byPhil La Duke
 

Similar to The Security Practitioner of the Future

PDF
The Security Ecosystem
byAnthony Bertuzzi
 
PDF
Building an effective Information Security Roadmap
byElliott Franklin
 
PPT
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
PDF
Does title make a difference?
byPete Nieminen
 
PPTX
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
byPlatformSecurityManagement
 
PPTX
2016 Risk Management Workshop
byStacy Willis
 
PPTX
Assuring Digital Strategic Initiatives by
byFirstMutualHoldings
 
PDF
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
PDF
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
PDF
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
PPTX
Security-Invest Where it Matters Most
byInnoTech
 
PPTX
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
PDF
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
PPTX
Risk Assessment Framework
byJhurt7103
 
PPTX
Access Controls Capability Maturity Model (CMM).pptx
byComplianceSPE
 
PPTX
Insight into Security Leader Success Part 2
bySecurity Executive Council
 
PPTX
Selling security to the C-level
byDonald Tabone
 
PPT
Educause+V4
byecarrow
 
PPT
Ensuring Project Success Through Automated Risk Management
byMitchell College
 
The Security Ecosystem
byAnthony Bertuzzi
 
Building an effective Information Security Roadmap
byElliott Franklin
 
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
Does title make a difference?
byPete Nieminen
 
ASMC 2017 - Rudy Neefs - Van bedrijfspolitieman naar kritieke businesspartner
byPlatformSecurityManagement
 
2016 Risk Management Workshop
byStacy Willis
 
Assuring Digital Strategic Initiatives by
byFirstMutualHoldings
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
THE EFFECT OF INFORMATION TECHNOLOGY USING ENTERPRISE SECURITY RISK MANAGEMENT
byIJNSA Journal
 
Security-Invest Where it Matters Most
byInnoTech
 
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
Implementing a Security Framework based on ISO/IEC 27002
bypgpmikey
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
Risk Assessment Framework
byJhurt7103
 
Access Controls Capability Maturity Model (CMM).pptx
byComplianceSPE
 
Insight into Security Leader Success Part 2
bySecurity Executive Council
 
Selling security to the C-level
byDonald Tabone
 
Educause+V4
byecarrow
 
Ensuring Project Success Through Automated Risk Management
byMitchell College
 

More from Resolver Inc.

PDF
ERM Benchmarking Survey Results
byResolver Inc.
 
PPTX
Best Practices and ROI for Risk-based Vulnerability Management
byResolver Inc.
 
PDF
Taking a Data-Driven Approach to Business Continuity
byResolver Inc.
 
PDF
Terrorism in a Corporate Setting
byResolver Inc.
 
PDF
An Intro to Resolver's Compliance Application
byResolver Inc.
 
PDF
Information Security Best Practices: Keeping Your Company's Data Safe
byResolver Inc.
 
PDF
Security Trends: From "Silos" to Integrated Risk Management
byResolver Inc.
 
PDF
Modelling your Business Processes with Resolver Core
byResolver Inc.
 
PDF
How Resolver Uses Resolver
byResolver Inc.
 
PDF
Scammed: Defend Against Social Engineering
byResolver Inc.
 
PDF
A Peek at adidas Group's Integrated Risk & Security Management Strategy
byResolver Inc.
 
PDF
An Intro to Resolver's Resilience Application
byResolver Inc.
 
PDF
Data Driven Risk Assessment
byResolver Inc.
 
PDF
How to Achieve a Fully Integrated Approach to Business Resilience
byResolver Inc.
 
PDF
An Intro to Resolver's Risk Application
byResolver Inc.
 
PDF
Keeping Your Data Clean
byResolver Inc.
 
PDF
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 
PDF
An Intro to Resolver's InfoSec Application (RiskVision)
byResolver Inc.
 
PDF
Leveraging Change Leadership to Find Success in your IRM Program
byResolver Inc.
 
PDF
An Intro to Resolver's Incident Management Application
byResolver Inc.
 
ERM Benchmarking Survey Results
byResolver Inc.
 
Best Practices and ROI for Risk-based Vulnerability Management
byResolver Inc.
 
Taking a Data-Driven Approach to Business Continuity
byResolver Inc.
 
Terrorism in a Corporate Setting
byResolver Inc.
 
An Intro to Resolver's Compliance Application
byResolver Inc.
 
Information Security Best Practices: Keeping Your Company's Data Safe
byResolver Inc.
 
Security Trends: From "Silos" to Integrated Risk Management
byResolver Inc.
 
Modelling your Business Processes with Resolver Core
byResolver Inc.
 
How Resolver Uses Resolver
byResolver Inc.
 
Scammed: Defend Against Social Engineering
byResolver Inc.
 
A Peek at adidas Group's Integrated Risk & Security Management Strategy
byResolver Inc.
 
An Intro to Resolver's Resilience Application
byResolver Inc.
 
Data Driven Risk Assessment
byResolver Inc.
 
How to Achieve a Fully Integrated Approach to Business Resilience
byResolver Inc.
 
An Intro to Resolver's Risk Application
byResolver Inc.
 
Keeping Your Data Clean
byResolver Inc.
 
Why You Should Prioritize Third Party Risk Management (TPRM) in Today's Marke...
byResolver Inc.
 
An Intro to Resolver's InfoSec Application (RiskVision)
byResolver Inc.
 
Leveraging Change Leadership to Find Success in your IRM Program
byResolver Inc.
 
An Intro to Resolver's Incident Management Application
byResolver Inc.
 

Recently uploaded

PDF
Best Platforms to Buy Verified Wise Accounts in the USA.pdf
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
PDF
Mobile and Online Banking_ Open an Account Today.pdf
bykmn4gloa39pwajpujj
 
PDF
Christopher Elwell Woburn, MA - An Experienced IT Executive
byChristopher Elwell Woburn, MA
 
PDF
Best 11 Places to Purchase Mature Twitter Accounts for Marketing.pdf
byjaksontinder24
 
PPTX
DeFi Passive Income: From definitions to practical examples
byAli Mohammad Saghiri
 
PDF
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
PDF
The Easiest Way to Buy Snapchat Accounts (1).pdf
byidc1w3adizw383go
 
PDF
growth-approach-pm-letter-december-2025 (1).pdf
byHenry Tapper
 
PDF
Dr. Alexander Everest - A Sustainability Strategist
byDr. Alexander Everest
 
PDF
Back to the future - the return of DB surpluses (slides) - 9 December 2025.pdf
byHenry Tapper
 
PDF
Buy Twitter Accounts — An Educational Overview.pdf
byh3lfp4332e3gctbnm22w
 
PDF
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byh55oga0kd25m12iaza2
 
PDF
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 
PDF
Where to Buy Verified Chime Accounts for Quick ....pdf
bykmn4gloa39pwajpujj
 
PDF
Buy Twitter Accounts and Platforms account in 2026.,..pdf
byh3lfp4332e3gctbnm22w
 
PDF
Safe & Secure Ways to Buy Verified Paypal Accounts in 2025.pdf
byhi1885171
 
PDF
Co-operative and Mutual Economy 2025.pdf
byHenry Tapper
 
PDF
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byidc1w3adizw383go
 
PDF
Top 10 Websites to Buy Facebook Accounts Tone.pdf
byidc1w3adizw383go
 
PDF
Where to Buy Verified Cash App Accounts for Long-term ... (1).pdf
byh55oga0kd25m12iaza2
 
Best Platforms to Buy Verified Wise Accounts in the USA.pdf
by#SEO, #usaallhub, #socialmedia, #USAaccounts, #seoservice, #Digitalmarketer
 
Mobile and Online Banking_ Open an Account Today.pdf
bykmn4gloa39pwajpujj
 
Christopher Elwell Woburn, MA - An Experienced IT Executive
byChristopher Elwell Woburn, MA
 
Best 11 Places to Purchase Mature Twitter Accounts for Marketing.pdf
byjaksontinder24
 
DeFi Passive Income: From definitions to practical examples
byAli Mohammad Saghiri
 
Unlock the Power of Leadership: The Electrolux Manufacturing System (EMS) Way
byKaiNexus
 
The Easiest Way to Buy Snapchat Accounts (1).pdf
byidc1w3adizw383go
 
growth-approach-pm-letter-december-2025 (1).pdf
byHenry Tapper
 
Dr. Alexander Everest - A Sustainability Strategist
byDr. Alexander Everest
 
Back to the future - the return of DB surpluses (slides) - 9 December 2025.pdf
byHenry Tapper
 
Buy Twitter Accounts — An Educational Overview.pdf
byh3lfp4332e3gctbnm22w
 
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byh55oga0kd25m12iaza2
 
Olga Grom: Presale та комерційні моделі (UA)
byLviv Startup Club
 
Where to Buy Verified Chime Accounts for Quick ....pdf
bykmn4gloa39pwajpujj
 
Buy Twitter Accounts and Platforms account in 2026.,..pdf
byh3lfp4332e3gctbnm22w
 
Safe & Secure Ways to Buy Verified Paypal Accounts in 2025.pdf
byhi1885171
 
Co-operative and Mutual Economy 2025.pdf
byHenry Tapper
 
How to Safely Buy Twitter Accounts A Complete Guide in ....pdf
byidc1w3adizw383go
 
Top 10 Websites to Buy Facebook Accounts Tone.pdf
byidc1w3adizw383go
 
Where to Buy Verified Cash App Accounts for Long-term ... (1).pdf
byh55oga0kd25m12iaza2
 

The Security Practitioner of the Future

  • 3.
    I am aSecurity Learning & Development Professional @dennisshepp dennisshepp@shaw.ca
  • 4.
  • 5.
    ▪ ESRM =Enterprise Security Risk Management ▪ “A management process that creates a consistent and holistic approach to managing threats to any organization through an ongoing process of assessing all security-related risks across the entire enterprise.” ▪ “ESRM process ensures that any new risks that treated in the same way.” ▪ “A process of continuous improvement.” ASIS International CSO Center (2014), Accessed March 2017: https://cso.asisonline.org/esrm/Pages/default.aspx
  • 6.
    LEADERSHIP Learning & Development BusinessEnabler Performance Measurement Return on Inve$tment QUALITY IMPROVEMENT
  • 7.
    Is your organization“mature” enough to adopt ESRM?
  • 8.
    Sally Godfrey (2008)“What is CMMI?” NASA presentation. Accessed: Feb 21, 2017.
  • 9.
    Cindy Blake, HP’sEnterprise Security Products Group, (2013), “Key Security Investments for 2013… and Beyond”, Accessed March 15, 2017: https://community.hpe.com/t5/ Protect-Your-Assets/Key- Security-Investments-for- 2013-and-beyond/ba- p/5929243#.WMmJbhLysfw
  • 10.
    ▪ How toConduct a Maturity Assessment the Six Sigma Way: ▪ ASSESS – ANALYZE – ADDRESS ▪ ASSESSMENT reviews 12 Lean Six Sigma parameters. ▪ Process provides a checklist. ▪ Key element: LEADERSHIP! Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity- assessment/
  • 11.
    Afsar Choudhary, “AreYou Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity- assessment/ Lean Six Sigma Parameters Compared to Organizational Maturity Index
  • 13.
    Adapted from LynnMattice, CPP & Jerry Brennan, CPP, 2015, “Chief Executive Magazine”, survey results from CEOs “Top 10 Skills Needed for Leadership” (modified).
  • 15.
    of L&D prossay that talent is the #1 priority The main objectives of organization’s L&D strategy? 1. Develop managers & leaders. 2. Help employees develop technical skills. 3. Train all employees globally in one cohesive way. 4. Support career development for employees. “2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500 organizations in USA & Canada. Published and accessed online: https://learning.linkedin.com/elearning-solutions-guides/2017-workplace-learning-report
  • 16.
    Ass’n for TalentDevelopment (ATD) formerly ASTD, “2016 State of the Industry Report”, https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State- of-the-Industry-Report
  • 17.
    “ Does your training(learning & development) program impact the business?
  • 18.
    Ass’n for TalentDevelopment (ATD) formerly ASTD, “2016 State of the Industry Report”, https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State- of-the-Industry-Report
  • 19.
    1. Reaction What didlearners feel about the experience? How was the trainer/instructor? 2. Learning Assessments & testing – did the learners actually learn any skills/knowledge? 3. Behavior Has performance improved at work because of the L&D? 4. Results (ROI) What is the business impact of the L&D?
  • 20.
    Adapted Phillips Model(1997) – Training ROI Competency Gap Analysis What’s missing? Develop Training Objectives Learning outcomes must meet missing competencies. Develop Assessment Plan •Develop assessments (testing). •Based on learning outcomes. •Knowledge, skills, & on- the-job testing. Collect Level 1 & 2 Data •Reaction and satisfaction. •Learning assessment & measure learning outcomes. Collect Level 3 & 4 Data •Application. •Business Impact. Data Analysis Convert data to values that impact the business. Level 5: Calculate ROI •Identify tangible costs. •Identify intangible costs. Report Generate impact study & report. Competency Assessment Stage Data Collection Stage Data Collection Stage Data Analysis Stage Reporting Stage
  • 22.
    • ASIS InternationalCSO Center (2014), Accessed March 2017: https://cso.asisonline.org/esrm/Pages/default.aspx • “Protective Security Capability Maturity Model”, Gov’t of NZ – Protective Security, Accessed Feb 21, 2017: https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity- Model.pdf • “Metrics and the Security Mindset”, SM Online, December 2016, https://sm.asisonline.org/pages/metrics-and-the-maturity-mindset.aspx • Cindy Blake, HP’s Enterprise Security Products Group, (2013), “Key Security Investments for 2013… and Beyond”, Accessed March 15, 2017: https://community.hpe.com/t5/Protect-Your-Assets/Key- Security-Investments-for-2013-and-beyond/ba-p/5929243#.WMmJbhLysfw • Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct- maturity-assessment/ • “2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500 organizations in USA & Canada. Published and accessed online: https://learning.linkedin.com/elearning-solutions- guides/2017-workplace-learning-report • “Kirkpatrick’s Four-Level Training Evaluation Model”, Accessed March 15, 2017: https://www.mindtools.com/pages/article/kirkpatrick.htm
  • 23.
  • 24.
    I am aDirector at The Banks Group Inc. @PhillipBanksPE pbanks@thebanksgroup.ca
  • 25.
    2. Critical Thinking 3.Risk-Based Decision Making 4. Leading-Practice Implementation 5. Security Optimization 6. Maturity Modeling 1. SMART Training
  • 26.
    • Successful & measurable results. •Cost effective, highest achievable performance. • Formalized consideration of risk elements. • Objective analysis of FACTS in all situations. Critical Thinking Risk-Based Decisions Leading Practices Security Optimization
  • 27.
  • 28.
    “A process thatorganizes information about the possibility for one or more unwanted outcomes into a broad, orderly structure that helps decision-makers make more informed management choices.1” 1Introduction to Risk-based Decision Making – US Coast Guard
  • 29.
    Risk Evaluation –Issue or opportunity? Risk Response – Treat, tolerate, transfer, terminate? Evaluate Response Options – Readily or reasonably achievable? Constrain decision bias. Consider – Risk appetite, cost benefit, stakeholders, compliance Issues, reputation. Decision Making – Yes, co or somewhere in- between, now what to do?
  • 30.
    “Nothing is lessproductive than to make more efficient what should not be done at all.” Peter Drucker
  • 31.
    Best versus Leading Practice •Best Practice — is a technique or methodology that, through experience and research, has proven to reliably lead to a desired result. • Leading Practice - term used in place of “best practice” where it is inordinately difficult to identify or implement the best practice.
  • 32.
    Considerations: • “As-is” environment– observable elements? • What is the problem or issue that needs remediation? • Basis for leading practice? • Implementable at effective cost? • Measurable outcome? • “To-be” environment what will it look like? • Based on what? “As-Is” Leading Practice “To-Be” Leading Practice Elements
  • 33.
  • 34.
  • 35.
    People – Riskaware and organizationally resilient. Process – Understanding business processes and matching supporting security initiatives and programs. Technology – Flexible, integratable, scalable and measurable security solutions Enterprise Security Risk Management – Security strategies which with a focus on forward thinking, vulnerability reduction, business enablement and sustainable control measures.
  • 36.
    Risk Management –focus on protecting an organization’s tangible and intangible assets. Enterprise Risk Management – broader focus than protection of physical and financial assets but also includes enhancement of the business strategy.
  • 37.
  • 39.
    ▪ Consistency (documentedand repeatable) ▪ Continual improvement (internal audit) ▪ Measurable results (KPIs, benchmarking) ▪ Management commitment ▪ Enhancement of organization (overall) performance enhancement ▪ Systematical risk identification 1ON Semiconductor
  • 40.
    Security Program MaturityLevels Corporate security is reactive, uncontrolled, unpredictable & inconsistent. Corporate security is characterized for projects and is often reactive and of variable consistency. Corporate security is tailored for the organization and is proactive. Corporate security is managed, measured and proactive. Risk-based decision-making is practiced across all corporate security activities. Client satisfaction is measured as a KPI. Corporate security is branded and functions on a corporate-wide basis as a valued partner and recognized business enabler.
  • 41.
    Initial - Site-by-sitedifference approach. No success criteria set. Ad-hoc reactive approach. Defined - Corporate and security best practices gathered and translated into physical security corporate goals and requirements. Repeatable – Set requirements formally documented and standardized. Site level gap analysis and action plan. Managed and Measured – Formal PSMS which is measured and controlled. Report and auditing system established. Optimized – Corporate-wide physical security management system and aware workforce. Process improvement and performance measurement focused. 1ON Semiconductor
  • 43.
    Do you knowwhere you are? Do you know where you want to go? Can you see the path? How will you know when you get there?
  • 44.
  • 45.
    ▪ An inner-citypharmaceutical production facility will be closing in 3 years and the operations of the facility will be moving to a new off-shore location. Operations will fully continue at the current facility until closing day and threats and risks to the operation’s success will likely not change. ▪ The existing security technology is nearing the end of its useful life and maintenance costs are increasing. Some concerns have been expressed with respect to the security of employees in an area of the city which appears to be declining. ▪ List three primary actions that you would consider critical with respect to the onward security of the operation and safety of the employees.
  • 46.
    ▪ A securityprofessional colleague has approached you at the local ASIS chapter meeting claiming they understand you have successfully implemented an incident reporting, information and automated communications management system in your company. ▪ He asks if you would share your experiences of how you would recommend he proceed in adopting a CAD, incident reporting system for his company. ▪ Base your recommendations on “Best Practices”, lessons learned and how they really should proceed. ▪ Provide examples of effective measures for SMART training.
  • 47.
    ▪ What arethe primary elements you would select to measure the level of effectiveness of security governance in your organization or company?