 This is Think Tech Hawaii, Community Matters here. Hey, Alaha, and welcome to the Think Tech Hawaii studio. This is Andrew, the security guy, for another episode of Security Matters Hawaii. And today we're going to be talking about enterprise security risk management with one of North America's foremost experts, Jeff Slotnick. He's not in the studio, but he is with us remotely. And I'll have him up for you shortly. Jeff, welcome, and thanks for being on the program. I appreciate you taking some time out to share some of your wisdom with us today. I really appreciate it, Andrew. Thanks for the opportunity from the Wilds of Western Washington. Ah, the Wilds of Western. So in the Wilds of Western Washington, and I know you kind of work across the country, probably the globe these days, I like to get a feel for my guests, especially those with the amount of experience you've had. I know you're your prior service. Thank you for your service, sir. What's keeping you up these days from a security perspective? Well, you know, it really is very simple. I mean, there's a lot of things going on in the world of security, especially, you know, we start looking at things like school shootings, workplace violence, some of the cyber stuff that's going on that you're very familiar with. But you know, when it gets down to the end of the day, when you start distilling all this stuff down to its core root analysis, what you find is a lot of it is related to physical security and it's preventable. You know, having, you know, I don't know how many times I've been on air in the last several weeks and in writing saying it basically relies, you know, it boils down to plans, policies, procedures, equipment and training, you know. And then, you know, of course, the other three legs of the stool detection delay and response. You know, so many of our organizations don't have the plans and policies. If they do have the plans and policies, then they're not training them and they're not training their personnel on the equipment. And so many of the organizations I go into have beautiful integrated physical security systems and they're using them to, you know, one-twentieth of their capacity and due to a lack of training. So what keeps me up at night is the fact that a lot of these things that have occurred recently are preventable. And we have the tools in place or the people in place. We've got part of the solution there and we're not using the rest of it or we don't have enough of the solution set there, which probably brings us to enterprise security risk management. I know this is a holistic concept that you and a few of other practitioners in North America really take this type of perspective to an organization. So walk me, walk us through, walk our audience a little bit through the sort of where ESRM kind of came from and then what does it look like today in its modern interpretation? You know, it's because I don't think it lives just in the enterprise, right? I mean, small and medium businesses can take advantage of these same fundamental practices. Right. Well, let's talk about that for a brief minute here. You know, when we're talking about ESRM, we're talking about creating an iterative process to manage security risks across all aspects of the enterprise. So what does that mean? That means we have to identify risk. We have to be people that align the strategy of the corporation with the strategy of the security department. We have to have a good understanding of business and ESRM is really an ASIS International Initiative to bring business process to security management and elevate security management in the C-suite and in the eyes of the rest of the corporate professionals. Yeah, so when we talk about the enterprise, you're not limited because I hear physical security management, right? But when we talk about the enterprise, you're also looking at the operational capacities. Maybe if it's a manufacturing facility, like what if the air conditioning goes out, for example? Can they function without air and then could someone attack the air conditioning to shut that building down? Or how deep do you delve into the business processes like out on the floor of a facility? Well, let's explore that for a minute. When we talk about business process, what you'll find when you start looking at the security function, you'll find that it has impact on investigations, human resources, operations, environmental health and safety, all cross into the realm of security. Now, sometimes security may have a lead role and in other times, security may have a supporting role. But in all cases, we have a role. And a lot of times that role is not appreciated by other folks within the enterprise and it's our job to educate them. And ESRM as a concept is one way of creating that appreciation and educating our peers in the business stream towards what value the security program brings to the table and how we can support the overall strategy of the business which at the end of the day is making a profit and staying in business. Yeah, very true. How long ago do you think we finally got a seat at the table? Are we still underrepresented in a lot of the organizations that you see? Well, you know, we've made great progress over the last 10 years. The advent of the Chief Security Officer, the CSO, and creating the CSO standard which is in its second iteration now and coming up for review again and defining the role of the Chief Security Officer within the corporate structure has gone a long way in creating that initial presence. But now we're not looking at just the Chief Security Officer. What we're looking at now is the entire security program and how the security program adds value to the enterprise and helps the enterprise to be successful. Yeah, it seems to me like in the past we've always had, or maybe even today somewhat, CSO was just a hat that someone got to put on briefly or for some number of hours a week or perhaps only when they went to brief the board of directors or the C-suite. Is that your experience or are you starting to see that as more of a full-time role? And if so, is that also occurring outside of the enterprise? Well, I do see that a lot. Almost every business I work with today has a Chief Security Officer and somebody in that position. Now, the title may change. It may be Public Safety Director or it may be Senior Director of Security or Director of Enterprise Security but the duties and functions all relate back to a CSO. And so even, do you think there's benefit for the smaller businesses who have to have someone in that role in a limited capacity maybe because they're wearing other hats inside the organization? Can they learn from the practices of a CSO and hopefully help educate their small businesses in their value? Absolutely, and let's talk about that for a minute. I've got 40 or 50 clients that engage us to provide those services for their organizations. So in a small to medium business or some of your larger medium businesses or smaller large businesses they may not have an FTE security person. So that is a service that they can outsource which I think is a great niche for us because we work very closely with a lot of companies to provide that role and provide that advice that a CSO would provide if they had one full time. That's awesome. I didn't know that you did that. I'm learning something here as well while we're talking. So that's awesome. So how do you engage a company then? They call you and say, we're a mess, we need help. What's that initial engagement as to be a four hire or a contracted CSO? Wow, you don't know anything about them. How do you start? Well, generally it starts, unfortunately, with something adverse happens and they reach out trying to get assistance. And then of course, as we're offering that assistance we're helping them through their immediate strategic issue then we can start looking at other things. And generally that starts with a good baseline risk threat and vulnerability assessment. Of course, this applies to any business of any size, should be looking at their risk and what risks can impact the organization and what the consequences of those risks are. Yeah, it's interesting. I want to talk about your particular methodology in our second half. But I feel your pain on that reactive thing where we get a lot of calls from companies who something occurred and of course we all in our industry know wish that they had planned for it and maybe prevented it in the first place. But is that getting better? Or do you think is it, I guess, the appetite for risk in the small business, it's typically an owner and he knows what he's doing with his business and he just doesn't take time to consider stuff really getting sideways on him and then when it does, you know, he reaches out. Is that still the norm or are you seeing people more prepared or just getting caught off guard by something that they really didn't prepare for? You know, I think the Department of Homeland Security organizations like ASIS International and others have done a lot. I mean, we've got the, now we've got the whole security cares program that has been taking off at GSX for the last couple of years where there's free education for small to medium-sized businesses and schools and things like that. So I think the resources are there. What I do feel is that a lot of businesses don't take the time to avail themselves of those resources. I mean, even in cybersecurity, look at NIST. NIST came out last year with the NIST Small Business Standard, you know, and you look at that and that's a great document and really has application in a lot of industries, you know, beyond small business. But how many small businesses really have looked at cyber hygiene and understand the impacts of that on their enterprise? You know, sometimes it takes an event to educate people. What we try to do is, you know, through presentations like this and other public forums, we try real hard to educate people to those risks and get them to consider them before they become an issue and put the plans, policies, procedures and training in place so that if it does happen, even if it's a small business, they have a path to walk down. Yeah, I kind of wonder if... Do you have any sense of... Well, I'll say this, I see a lot of companies that make plans but they really don't have the policies supporting the plan first. Do you see that very often? Well, what I see a lot is what I call the dusty blue binder. You know, a company will invest either in-house or contract out-of-house to create a specific plan for their organization. They take it, they write it, they review it, they think, oh man, this is great stuff and then they put it on the shelf and they never touch it again until the incident happens and then they pull off the dusty binder off the shelf and it's never been trained, it's never been practiced. The people that have roles and positions of responsibility in the plan have moved on, promoted out, retired, you know, in any number of things so that essentially when the incident occurs, even though they've got a plan, the plan is ineffective because it has not been trained, practiced or staffed properly. There's been a lot of those binders and they're all dated like 2004. I tell you what, Jeff, let's take a short break and when we come back I want to talk about Cetricon methodology and the stuff that you've developed over there specifically. We're going to pay some bills and we'll be back in one minute with Jeff Slotnik. This is Think Tech Hawaii, raising public awareness. Truth is I've been impressed. I haven't been asked such intelligent questions in a long time, thanks. If you're not in control of how you see yourself, then who is? Live above the influence. Hey, baby, that's you. I want to know. Will you watch my show? I hope you do. It's on Tuesdays at one o'clock and it's out of the comfort zone and I'll be your host, R.E.B. Kelly. See you there. Hey, Aloha. Welcome back to the Think Tech Hawaii Studios and this episode of Security Matters Hawaii. Jeff Slotnik is educating us on enterprise security risk management today from the Northern U.S. up there in Washington. Jeff, thanks, and welcome back, sir. I wanted to get into Cetricon. You've built an amazing tool there and I know you've kind of launched it. You've been working on it for a while, but sort of relaunched Cetricon and it's really exciting, I think, for a lot of business owners to understand that they can come and get some value out of a tool like this that you've built, you know, I'm not going to give away your age, but the years of experience that you've packed into this. So tell us about the, as much as you want to get into the history of Cetricon where it came from and then what you're doing with it today, kind of walk us through the tool. Well, interestingly enough, Cetricon is a conjunction of security training and consulting and a lot of people aren't aware of that. But, you know, I know we're limited on time and a lot about our businesses is publicly available, but we have a passion for security. You know, my background, I come out of an army engineering background which was really amazing and kind of moved into physical security with a couple of contracts on active duty where we were supervising the installation of physical security systems and more or less being in the right place at the right time, which was a lot of anti-terrorism or the beginning of anti-terrorism and septet in army physical security in the 1980s. But, you know, I came into the industry and I came into the industry my education is in business management. So I, you know, I started dealing with business management and engineering principles and project management and that's what I came into our industry with. So it gave me a very, very unique perspective on the process of security. You know, how we go about doing the things that we do. And on the other side of this, I started growing up with technology. My first technology, my first home computer was a Commodore 64. Interestingly enough, I was at a meeting last week and one of the young men sitting next to me asked me what a five-and-a-half inch floppy disk was and I had a detail to him what a five-and-a-half inch floppy disk was. Talk about feeling old. But anyway, you know, so I've grown up with technology. I've grown up through DOS and Windows and Microsoft and, you know, and computers that are just amazingly fast and look at the technology we have today and the platform that we're speaking on. And in 2003, I started looking at how we could apply this to a very, very old problem. I mean, you look at risk assessment and you look at a lot of the professionals that are doing risk assessment today and it really hasn't changed much in the last 20 years. You know, it's a hard hat, a vest, a clipboard, a stubby pencil, and a camera and a light meter, you know, and going out and taking notes and then you come back in the office and you write a report. Now the report, instead of being handwritten, may now be done on a word processor and maybe utilizing Microsoft Word and PowerPoint for your presentation and in some cases, people have inserted Excel. But the data that's collected from a risk assessment is contained within that report. So you'll see a report. It's 250 pages long and the information is not readily digestible. So you turn around and you give it to the C-suite or you give it to another security professional. What do they do? They open up the report. They read the page and a half executive summary at the front and then they flip to the back to see what it's going to cost them. They look at all the mitigations that have been recommended and what those mitigations are. All that good data that's in the middle is not accounted for. All that time that was invested by the risk assessor in the process. You've done a few of these, huh? I've been doing risk assessments, literally hundreds of them over the years. Tell our artists a little bit about that. I don't know if they understand the typical, the military really figured this out long ago about that delay time it takes to stop that person from getting to the asset that you're trying to prevent them from. Give us a minute or two on that as quick as you can. Well, all physical security systems are measured by three definable terms, which are detection, delay, and response. Ideally, we want a system that detects our adversary as early as possible and delays them along the course of their path to their objective long enough for a response force to get in there and neutralize them and stop them from proceeding and breaching the facility or stealing a document or creating a vulnerability. So that's the core of physical security. Part of a risk assessment evaluates the physical security systems and evaluates them based on those three things. So we look at the threat. Who's the adversary? And now the adversary can be a criminal insider, active assailant, criminal insider theft, a terrorist, but it doesn't have to be just that because we approach things from an all hazards approach. So you may have stored chemicals on property. And those stored chemicals, if you have a 5,000 gallon leak of a hazardous chemical, it really doesn't make a difference how it was precipitated. At the end of the day, you've got a 5,000 gallon leak of chemicals. So whether that was created by a person who was intoxicated on a forklift and came into work and ran the forks into a tank or somebody attempted to steal the material or somebody breached your SCADA system and created the spill, at the end of the day, you've got a 5,000 gallon spill. So we approach risk assessment from an all hazard construct. We're also aligned with standards. So we align with the ANSI, ASIS, RIMS, RA1-2015, which is the risk assessment standard. And that was done in conjunction with the Risk Management Society and of course the American National Standards Institute. But that standard also incorporates a lot of principles from ISO 31,000 risk management and ISO 28,000 security management. So we wrapped that all up and we looked at this standard and we said, you know, we've got all this capability and what we did is we reduced risk assessment to about 22 data points. Now, our collection process is the same as any assessor in the field. We go out in the field, we do exactly what any assessor would do. What changes is how we're capturing that information and portraying it. The final report in our system from the data that's collected is portrayed in what we call a CSO's console. That CSO console aggregates the information that we've collected based on the parameters set by the CSO. So if they want to see a report for a facility, for a campus, for an enterprise, they can specify that. And it pulls down all the information, the top threats, the mitigation strategy, the risk prevention strategy. All that is pulled down into the report as well as the top 15 or 20 vulnerabilities for that grouping and the recommended mitigations for those. So that and a narrative and all that information is at a CSO's fingertips. Now, the other thing that we do is we're portraying a lot of information utilizing Microsoft BI. So we started using Microsoft Business Intelligence tools to portray about six different aspects of an assessment. One is overall risk, computed from risk threat and vulnerability and consequence. The other is crime and crime statistics. The third is threat. So there's a BI chart that portrays threat as well as project management, budgeting and a maturity model that we created that evaluates ESRM, security management, physical security, business continuity, cyber security from a physical security perspective. You know what I call physical security of the logical system. And then contractual relationships, relationships with integrators, guard forces and whatnot. And we have developed KPIs for each of those areas and we can evaluate that company based on those KPIs. Not only are we evaluating the company, but in the ESRM phase of that, we're asking senior leadership to evaluate their security department as well. So it helps the security department to walk and talk security through the enterprise and gauges their maturity in that level and of course any barriers to progress or things that they're doing really well. Because it's not about finding fault, it's a very business oriented process. So I'm big into W. Edwards Deming and now we call it Lean Six Sigma, but it's all to me essentially the same. But what we're trying to do is identify issues so that we can apply a risk treatment to that issue to prevent that issue from coming and happening or at a minimum minimize its impact on the enterprise so that it's a non-issue. So that's the whole point. I've got to think that the maturation tool as well. So that's a real interesting thing that a lot of people don't, if they haven't been around any kind of CMI processes, they may not understand it. You know, having at a dashboard glance, the ability to know that, wow, my guard force and their training is mature, but maybe my cyber construct is very poor or maybe my physical is only in the middle and I really, you know, physical threats have been going up in my environment so that's where I can maybe expect to expend more resources in the coming years or it helps you plan a little bit. I love the maturity model. We looked at that for some of PSA Security Network's cyber stuff as well. It's a really good way for people to get at a glance, you know, an understanding of where they're at. Yep, and then, of course, one of the other things that we're doing is when we identify a mitigation, when we list that mitigation, it's populating a Microsoft project table. So this is a sticky process. It's not just a one and done. So what you do is as you, we export these mitigations to a project management table or Microsoft project site, as they accomplish the mitigations and they're scheduled and resourced and whatnot, once it's accomplished, we can go back in and change the risk rating and show the new risk rating based on the mitigation, which makes it a non-problem. So in essence, once you do your baseline risk assessment, you're in a state of continuous improvement until your next assessment cycle. And when you get to your next assessment cycle, you don't have to address things that you've mitigated. All you have to do is look at what hasn't been mitigated yet and any new issues that you might encounter. The good news is, I'm sorry, go ahead. That's amazing, Jeff. We got about a minute left, so if you could give some advice out to our audience from the ESRM, from that consulting hat that you wear, from an industry perspective, what would that advice be? Well, you know, there's two things. The first thing is you have to understand what risks impact your enterprise. You know, we all learn in university and senior levels in high school about the problem-solving process. You know, the first step in solving a problem is identifying the problem. Risk, threat, and vulnerability assessment in our industry is the first step of the problem-solving process. It helps us to identify the problem. So, you know, don't shortcut it, invest the money in it, do it good, do it well so that you understand the risks that impact your enterprise, and then you can align those risks and their impact on the strategy of the organization that you're working with or working for, and to help them to stay on track and understand that those risks to the corporate strategy represent significant impacts. The other thing is, is take the time to review your preparedness planning. Have a plan, train the plan, practice the plan so that when the event happens, you're not having an emergency, you're doing your job, and you're responding to the event of the day. There you go, Hawaii. From the master of ESRM. Jeff, thank you so much for sharing your wisdom and your advice with us today. I hope you guys take Jeff up on some of that. I hope you're looking at your organizations. I hope you're doing some risk planning. I hope you're looking at all of these things. It's a lot of work. Don't wait until something bad happens to get started. Jeff, thank you so much. We'll be back next week. I forget who my guest is, but I appreciate all you guys tuning in today. And if you are watching with us live we'll be on YouTube in a few hours with this episode, so catch the replay. Because security matters. Thanks so much. Aloha.