In the face of changing business needs and threat environments, companies, organizations and individuals will continue to encounter increasingly diverse and sophisticated risks from an equally broad range of adversaries. These adversaries are equipped as never before supported by education, experience, publicly available critical information and the technology to bring their efforts to realization. Tomorrow’s security practitioner will need an array of integrated tools to effectively prepare for and counter tomorrow’s adversary. These “tools” will always include some traditional tried and proven practices; however, the need for practitioners to think critically, make risk-based decisions, implement leading practice solutions and define security optimization is required. Presentation by: Dennis Shepp, MBA, CPP, CFE, Consultant, Security Expert Phillip Banks, P. Eng, CPP. Director, The Banks Group

3. I am a Security Learning & Development Professional
@dennisshepp
dennisshepp@shaw.ca

4. & ESRM

5. ▪ ESRM = Enterprise Security Risk Management
▪ “A management process that creates a consistent and
holistic approach to managing threats to any
organization through an ongoing process of assessing all
security-related risks across the entire enterprise.”
▪ “ESRM process ensures that any new risks that
treated in the same way.”
▪ “A process of continuous improvement.”
ASIS International CSO Center (2014), Accessed March 2017:
https://cso.asisonline.org/esrm/Pages/default.aspx

6. LEADERSHIP
Learning & Development
Business Enabler
Performance Measurement
Return on Inve$tment
QUALITY IMPROVEMENT

7. Is your organization “mature” enough to adopt ESRM?

8. Sally Godfrey (2008) “What is CMMI?” NASA presentation. Accessed: Feb 21, 2017.

9. Cindy Blake, HP’s Enterprise
Security Products Group,
(2013), “Key Security
Investments for 2013… and
Beyond”, Accessed March 15,
2017:
https://community.hpe.com/t5/
Protect-Your-Assets/Key-
Security-Investments-for-
2013-and-beyond/ba-
p/5929243#.WMmJbhLysfw

10. ▪ How to Conduct a Maturity Assessment the Six Sigma Way:
▪ ASSESS – ANALYZE – ADDRESS
▪ ASSESSMENT reviews 12 Lean Six Sigma parameters.
▪ Process provides a checklist.
▪ Key element: LEADERSHIP!
Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017:
https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity-
assessment/

11. Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15, 2017:
https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-maturity-
assessment/
Lean Six Sigma Parameters Compared to Organizational Maturity Index

13. Adapted from Lynn Mattice, CPP & Jerry Brennan, CPP, 2015, “Chief Executive
Magazine”, survey results from CEOs “Top 10 Skills Needed for Leadership” (modified).

15. of L&D pros say that talent is the #1 priority
The main objectives of organization’s L&D strategy?
1. Develop managers & leaders.
2. Help employees develop technical skills.
3. Train all employees globally in one cohesive way.
4. Support career development for employees.
“2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500
organizations in USA & Canada. Published and accessed online:
https://learning.linkedin.com/elearning-solutions-guides/2017-workplace-learning-report

16. Ass’n for Talent Development (ATD) formerly ASTD, “2016 State of the Industry Report”,
https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State-
of-the-Industry-Report

17. “
Does your training (learning &
development) program impact the
business?

18. Ass’n for Talent Development (ATD) formerly ASTD, “2016 State of the Industry Report”,
https://www.td.org/Publications/Blogs/ATD-Blog/2016/12/ATD-Releases-2016-State-
of-the-Industry-Report

19. 1. Reaction
What did learners feel about the experience?
How was the trainer/instructor?
2. Learning
Assessments & testing – did the learners
actually learn any skills/knowledge?
3. Behavior
Has performance improved at work because of the L&D?
4. Results (ROI)
What is the business impact of the L&D?

20. Adapted Phillips Model (1997) – Training ROI
Competency
Gap Analysis
What’s missing?
Develop Training
Objectives
Learning outcomes must
meet missing
competencies.
Develop
Assessment Plan
•Develop assessments
(testing).
•Based on learning
outcomes.
•Knowledge, skills, & on-
the-job testing.
Collect Level 1 & 2 Data
•Reaction and
satisfaction.
•Learning assessment &
measure learning
outcomes.
Collect Level 3 & 4
Data
•Application.
•Business Impact.
Data Analysis
Convert data to
values that impact
the business.
Level 5: Calculate ROI
•Identify tangible
costs.
•Identify intangible
costs.
Report
Generate impact
study & report.
Competency Assessment Stage Data Collection Stage
Data Collection Stage Data Analysis Stage
Reporting Stage

22. • ASIS International CSO Center (2014), Accessed March 2017:
https://cso.asisonline.org/esrm/Pages/default.aspx
• “Protective Security Capability Maturity Model”, Gov’t of NZ – Protective Security, Accessed Feb 21,
2017: https://protectivesecurity.govt.nz/assets/Uploads/Protective-Security-Capability-Maturity-
Model.pdf
• “Metrics and the Security Mindset”, SM Online, December 2016,
https://sm.asisonline.org/pages/metrics-and-the-maturity-mindset.aspx
• Cindy Blake, HP’s Enterprise Security Products Group, (2013), “Key Security Investments for 2013…
and Beyond”, Accessed March 15, 2017: https://community.hpe.com/t5/Protect-Your-Assets/Key-
Security-Investments-for-2013-and-beyond/ba-p/5929243#.WMmJbhLysfw
• Afsar Choudhary, “Are You Ready? How to Conduct a Maturity Assessment?”, Accessed March 15,
2017: https://www.isixsigma.com/new-to-six-sigma/getting-started/are-you-ready-how-conduct-
maturity-assessment/
• “2017 Workplace Learning Report”, (2017) LinkedIn Learning Solutions, Survey of >500 organizations
in USA & Canada. Published and accessed online: https://learning.linkedin.com/elearning-solutions-
guides/2017-workplace-learning-report
• “Kirkpatrick’s Four-Level Training Evaluation Model”, Accessed March 15, 2017:
https://www.mindtools.com/pages/article/kirkpatrick.htm

23. @dennisshepp
dennisshepp@shaw.ca

24. I am a Director at The Banks Group Inc.
@PhillipBanksPE
pbanks@thebanksgroup.ca

25. 2. Critical Thinking
3. Risk-Based Decision Making
4. Leading-Practice Implementation
5. Security Optimization
6. Maturity Modeling
1. SMART Training

26. • Successful &
measurable
results.
• Cost effective,
highest
achievable
performance.
• Formalized
consideration
of risk
elements.
• Objective
analysis of
FACTS in all
situations.
Critical
Thinking
Risk-Based
Decisions
Leading
Practices
Security
Optimization

27. Observations
Facts
Inferences
Assumptions
Opinions
Arguments
Critical
Analysis

28. “A process that organizes
information about the
possibility for one or more
unwanted outcomes into a
broad, orderly structure that
helps decision-makers
make more informed
management choices.1”
1Introduction to Risk-based Decision Making – US Coast
Guard

29. Risk Evaluation – Issue or opportunity?
Risk Response – Treat, tolerate, transfer,
terminate?
Evaluate Response Options – Readily or
reasonably achievable? Constrain decision bias.
Consider – Risk appetite, cost benefit,
stakeholders, compliance Issues, reputation.
Decision Making – Yes, co or somewhere in-
between, now what to do?

30. “Nothing is less productive than to make
more efficient what should not be done at
all.”
Peter Drucker

31. Best versus
Leading Practice
• Best Practice — is a technique or
methodology that, through experience and
research, has proven to reliably lead to a
desired result.
• Leading Practice - term used in place of “best
practice” where it is inordinately difficult to
identify or implement the best practice.

32. Considerations:
• “As-is” environment – observable elements?
• What is the problem or issue that needs
remediation?
• Basis for leading practice?
• Implementable at effective cost?
• Measurable outcome?
• “To-be” environment what will it look like?
• Based on what?
“As-Is”
Leading
Practice
“To-Be”
Leading Practice
Elements

33. 1 http://www.thehackettgroup.com/best-practices/

34. Security Optimization

35. People – Risk aware and organizationally
resilient.
Process – Understanding business processes
and matching supporting security initiatives
and programs.
Technology – Flexible, integratable, scalable
and measurable security solutions
Enterprise Security Risk Management –
Security strategies which with a focus on
forward thinking, vulnerability reduction,
business enablement and sustainable control
measures.

36. Risk Management – focus on
protecting an organization’s tangible
and intangible assets.
Enterprise Risk Management – broader
focus than protection of physical and
financial assets but also includes
enhancement of the business strategy.

37. Operational
Risk
Financial
Risk
Compliance
Risk
Strategic
Risk
Reputational
Risk

39. ▪ Consistency (documented and repeatable)
▪ Continual improvement (internal audit)
▪ Measurable results (KPIs, benchmarking)
▪ Management commitment
▪ Enhancement of organization (overall)
performance enhancement
▪ Systematical risk identification
1ON Semiconductor

40. Security Program Maturity Levels
Corporate security is reactive, uncontrolled, unpredictable &
inconsistent.
Corporate security is characterized for projects and is
often reactive and of variable consistency.
Corporate security is tailored for the
organization and is proactive.
Corporate security is managed, measured and
proactive. Risk-based decision-making is practiced
across all corporate security activities. Client
satisfaction is measured as a KPI.
Corporate security is branded and functions on a corporate-wide
basis as a valued partner and recognized business enabler.

41. Initial - Site-by-site difference approach. No success criteria
set. Ad-hoc reactive approach.
Defined - Corporate and security best practices gathered
and translated into physical security corporate goals and
requirements.
Repeatable – Set requirements formally documented and
standardized. Site level gap analysis and action plan.
Managed and Measured – Formal PSMS which is measured
and controlled. Report and auditing system established.
Optimized – Corporate-wide physical security management
system and aware workforce. Process improvement and
performance measurement focused.
1ON Semiconductor

43. Do you know where you are?
Do you know where you want to go?
Can you see the path?
How will you know when you get
there?

44. @PhillipBanksPE
pbanks@thebanksgroup.ca

45. ▪ An inner-city pharmaceutical production facility will be closing in 3 years
and the operations of the facility will be moving to a new off-shore
location. Operations will fully continue at the current facility until closing
day and threats and risks to the operation’s success will likely not change.
▪ The existing security technology is nearing the end of its useful life and
maintenance costs are increasing. Some concerns have been expressed
with respect to the security of employees in an area of the city which
appears to be declining.
▪ List three primary actions that you would consider critical with respect to
the onward security of the operation and safety of the employees.

46. ▪ A security professional colleague has approached you at the local ASIS
chapter meeting claiming they understand you have successfully
implemented an incident reporting, information and automated
communications management system in your company.
▪ He asks if you would share your experiences of how you would
recommend he proceed in adopting a CAD, incident reporting system
for his company.
▪ Base your recommendations on “Best Practices”, lessons learned and
how they really should proceed.
▪ Provide examples of effective measures for SMART training.

47. ▪ What are the primary elements you would select
to measure the level of effectiveness of security
governance in your organization or company?