Agcaoili characterized the transition to this overall risk management approach as "iterative" and said that there are industry frameworks in place from organizations such as the National Institute of Standards and Technology (NIST) to help security managers with the process and many have been around for a number of years.
Additionally, Agcaoili said that CISOs share some "DNA" with physical security leaders when it comes to cyber security, which has become a paramount issue for many organizations.
"I think cyber is front and center today in the hearts and minds of our government, our government leaders and many CEOs," he said. "My company is part of the critical infrastructure for the U.S., so cyber is a very important area for us and I’m responsible for that."
Though the transition to the risk-based security model has been demanding on his time and prioritization, Sherry said that it has been an overall positive experience for him.
"As a security manager I have brought a different skillset and experience to the table, identifying both risks and their solutions in a way that may not have been seen in the former structure," he said. "I think that it has also enabled the mission of security to take some additional spotlight, so that has been an unexpected fringe benefit to taking on more responsibility. I also can begin to see solutions that are more holistic in nature, and support the establishment of processes that can satisfy differently risk and compliance concerns in several different areas."
While one of the common complaints among both information and physical security managers is getting senior management to approve spending money on security projects, Agcaoili said that that has not been an issue at his company.
"We have a consistent plan and we communicate that to our leaders and we base it off risk. Our leaders have a lot of information to know what our high priority areas are for us," he explained. "We have to define what we do, we have to measure what we do, we have to continue to improve what we do and then enable our leadership to decide how much they need. Providing that all in the context of risk in a risk-based framework, I think it simplifies communicating with leadership on key areas that we have to invest in."
Sherry advises those looking to get approval for security funding from upper management to use "patience, time, persuasion and reason" to get them to understand why changes or upgrades in security operations are necessary.
"This is not an area to use the former triad of fear, uncertainly and doubt. Using sound business reasoning, establishing and achieving small benchmarks, and always putting the organization first in your thinking is paramount," Sherry said. "Also, some of the solutions for risk management, be it software or consulting, can be costly. Establishing a roadmap with realistic and responsible budget requests can indicate to the senior board sound financial thinking, and a program that will grow and mature. Finally, while I do not wish a major event on anyone, if the enterprise does have a negative event, take advantage of the focus and seek the finances to ensure it doesn’t happen again."
Having to take on more risk management responsibilities has also helped Sherry when it comes to the convergence of physical and information security.
"When speaking solely as a security executive there may be some hesitation from physical security to form the correct partnership. However, when addressing their concerns, areas of improvement or strategic projects in the light of lowering the risk of the enterprise, there is more openness to talk," he explained. "It has also helped to form the bridge of cooperation between physical and logical security. In the past, security may have been seen as a group that was intruding into their mission, or even worse, saying no to their ideas. But when the security executive proves to them that he or she can securely enable their processes and lower the risk to the enterprise, they are more willing to participate."
One of the challenges of this transition for security managers, however, is the scope, according to Sherry.