Risk Management: Experts discuss building security from the ground up

YARMOUTH, Maine — Anywhere there is value generated, there will be risk, and so it follows that risk management is a crucial tool for any security company, especially when it comes to cybersecurity, experts say. 

“If you’re creating value and making money, there’s inherent risk,” said Kasia Hanson, global senior director, security ecosystems development and partnerships, at Intel, one of three panelists during a recent webcast titled “Risk Management: A Critical Cyber Tool.”  “So, for me, risk management is if you’re creating value, there’s risk, and you need to manage that risk effectively, and not avoid it or defer that risk.” 

Other panelists were John Nemerofsky, the COO of SAGE Integration, and Pierre Bourgeix, CEO/Founder of ESI Convergent. The webcast was moderated by Cory Harris, editor of Security Systems News. 

Among the key topics in the webcast were why it’s important to develop a cybersecurity risk management plan and how risk management pinpoints an organization’s most critical threats. For John Nemerofsky, that requires a categorical approach. 

“To control this, we need to identify or assess and prioritize the risks in order to minimize them,” he said. “(We need) to monitor and control the impact they’re going to have on our clients or our own organization. I think, secondly, any framework is built on principles and implementation and layered security roles.” 

Bourgeix remembered a time when the approach to risk management for physical security was not so cut and dry. Now companies find themselves in a similar spot, but with cybersecurity.   

“Risk management is an interesting topic,” he said. “Because if you go back far enough risk assessments were very different in the cyber space and IT space, and when we looked at understanding the whole process, it started with governance. We had to create policies and procedures and develop what that meant – really doing a full understanding of what network architecture looked like, and how to build security from the ground up.” 

As a result, the more modern approach to risk management for cybersecurity is the endeavor of an entire enterprise, more or less, Bourgeix said. 

“Today it’s a little bit different,” he said. “Well, it’s a lot different. The reality is that it is a combination of people, processes and technology on a universal scale. It means that security awareness training has to be at the highest levels. It means your toolsets have to be clearly aligned with how people manage those toolsets. I think we’ve automated a great deal, and automation is important, but at the end of the day, the basic 101’s are critical.” 

You can find the full webcast available online at www.securitysystemsnews.com/webcasts.