Intro to ESRM

We talk about Enterprise Security Risk Management (ESRM) a lot during our podcasts with our guests, but we haven’t taken time to introduce our audience to the concepts and practice of ESRM. It’s time we changed that!

We’re going to post about the concept of a risk based, business focused security program and how it can benefit organizations. We’ll explore some of the successes we’ve had over the years – and some of the mistakes we made along the way.

We’ll reference real-world examples and highlight some of the great work that’s going on in the security profession by some really talented individuals. And we’ll try to keep it honest. We all need more of that as we look back over this past little while as we plan for what may lie ahead.

We hope you join us and let us know what you think…so stay tuned, folks. There’s lots more to come!

Bring on the New Year

2021 really can’t be worse than 2020, can it?

I’m not saying this to jinx us, honest! I’ve just spent some time this past little while looking back on 2020 and trying to assess how bad the dumpster fire really was. Globally we are still dealing with COVID 19 and have seen the worldwide death toll surpass 1.8 million. Vaccines are being distributed, albeit not as well as planned. And globally, businesses continue to struggle to survive in this “new normal”.

We also watched in horror as the insurrection of the US Capitol unfolded in real time. Right, that’s now…in 2021…not 2020…sorry.

We’re seeing risk profiles and threats change dramatically as well. Our new acronym – WFH – is both a blessing and a curse. More workers continue to clock in from home, but the threats to data now target these same individuals. Setting up our home users for success is seemingly easy, but we’re still seeing them being targeted in phishing campaigns now using misinformation or purported facts on a variety of topics: vaccines, supply chains, elections, travel, and fund raising.

We’re going to lean into some of these topics in our monthly shows, and talk more about these and other issues. Don’t worry, I know some of the bigger cyber news is top of mind so we’re going to check into that as well. I can’t offer any technical comments – that’s where my partner comes in! But I can work through some of the risks we see and how to approach them with your management and leaders. That’s what we’re really here to do – help you find that voice to present risks and inform your leaders!

Why We’re Here

I wanted to add some back story to Caffeinated Risk. We’ve been part of the security profession (both physical and logical) for the past few decades, worked together for some of that time and had a chance to learn about each other and our strengths. Over the past couple of years we’ve gotten together for coffee or lunch and, as two grumpy old security professionals do, started talking about our careers in security.

Both of us realized we have a similar goal – to give back to the profession that’s been so good to us. We thought a book would be a great way to help others…but that’s a lot of work! And we have real jobs we spend time at during the day. And I have a couple of dogs that are pretty needy…

So Doug came up with the idea of producing a monthly podcast for security professionals – by security professionals. We’d focus on the principles of Enterprise Security Risk Management (ESRM) and delve into technical and managerial topics regarding information security risk. The podcasts would be 20 to 30 minutes long and we’d interview other security risk professionals to learn how they worked through a project, a program, or their careers using a risk based approach to security.

It’s an opportunity for us both to talk about what we’re passionate about, how we struggled through the early parts of our careers and the lessons we picked up along the way. We’re not representing any company – the views posted here at Caffeinated Risk are solely our own personal narratives. We’re relying on all the mis-steps and successes we experienced to help others. We’ve got lots of stories so I’m not worried about finding material.

If you’ve made it this far, let me leave you with this final comment. Both Doug and I are doing something we’ve always wanted to do – give back to a profession that is in transition. We’ve seen how the security profession has grown from being the “department of no”, to becoming trusted advisors to organization executives.

Caffeinated Risk is our opportunity to talk about that journey.

And to let folks know how we learned that, in security, we don’t sign shit. Don’t worry, we’ll talk about that too.