Jeff Spivey CPP

JeffSJeff Spivey is President of Security Risk Management Inc. Jeff is a former President of the ASIS International. A CPP and PSP authoring many articles in the security trade magazines and a featured speaker on various security, risk management and criminal investigation subjects.

“My father was involved in risk management as it began to evolve in 1968. I was interested in the dynamic of risks and because of his leadership in the evolution of risk management and willingness to explain the topics, I began to associate those discussions with an area of particular interest to me, security.”

What do you do in the security Industry?

I find myself a part of the security profession as oppose to an industry, by striving to be an expert in security’s role inside of enterprise risk management. This is a more strategic vocation outside of singular business gain and guided by ethical standards. If you accept this premise, then my seeing my focus as understanding the vertical of security is not the end game, but it is Enterprise Risk Management (ERM). This is the holistic view of ALL risks, their interdependencies and relationships outside of our legacy business silo’s. Simple stated, I believe in this concept of ERM and feel Security, along with the many other verticals in this domain will mature and evolve into a new management fabric … a new and more refined business model.

What do you do for Security Risk Management, Inc?

I founded Security Risk Management, Inc. in 1989 after understanding risk management as it evolved as a new profession beginning in the late 1960’s. The company’s goal was/is to provide security related services to large and mid-sized companies and always take a risk management approach. We have done this throughout the world and have gained what we think is an affirmation of basic tenets of security. It always continues to get back to – an excellent understanding of the issues, well developed plans, good execution along side of the right metrics for ongoing evaluation and tweaking.

How did you originally get involved in Risk Management?

My father was involved in risk management as it began to evolve in 1968. I was interested in the dynamic of risks and because of his leadership in the evolution of risk management and willingness to explain the topics, I began to associate those discussions with an area of particular interest to me, security. Risk management is making a bolder move now in its’ evolution and I think security should play a major role – or be subsumed to an insignificant role. This would occur not due to the “best model” rule, but because the thought leadership did not understand where security should relate- or is willing to relate to risk management.

Why Risk Management?

Risk management is what all business models should emulate. Business and governments should holistically assess risk in their enterprise. To survive in our brave new world, the ability of a company/government to anticipate or respond to the emergence of new risks and marketplace needs and conditions is paramount… number 1. By understanding of the many critical dimensions of risks, companies/governments can not only manage the potential for negative effects of the risk, but understand the UPSIDE of Risks ! What opportunities do risks provide your company/government versus the competition? What are the risks out there? What is the risks of inaction…of standing still? These are all bigger than just the security silo… they can determine if the business/government lives or dies. Through risk management, security and the rest of the business begins to assess the true value of security and the transparency will be good for some…and bad for others.

As a former President of the ASIS International (previously the American Society of Industrial Security, ASIS.org) and as founder and very active member of the Alliance for Enterprise Security Risk Management (AESRM.org) you have a unique view of Enterprise Risk Management as it relates to security. Why should companies focus in this area?

Risk affects their business/government survival. The ability to understand and to take risks is fundamental to our world economy. Investments, innovation and initiatives are based in risks. So, if you buy into this grand ERM perspective, it becomes imperative for Security to be “a part” of the bigger picture of holistically managing risks. Anything less will impede business/government. Business’s adoption of ERM has progressed geometrically. My fear is that our Security profession will not understand or embrace ERM in time to “have a seat at the table”. I was recently talking with a leader in ERM who share the following story- he was at a cocktail party with the top 20 leaders of a large company. He was engaged in dynamic discussions and agreement on the value of enterprise risk management when he happened to bring up the need to include security at the ERM table… and the whole room went silent. My friend was not sure what had happened and asked someone later one what happened? He was told that everyone did not want Security at any table. All they did was restrict the business and tell them why they could not do ANYTHING. So, no one wanted to deal with the security manager.

If security is not at the table, security is subsumed to an insignificant part of the company— and in the case of ERM— the picture of risks is incomplete and therefore puts the company/government “at risk”. My immediate challenge to everyone in security is to be a risk manager who happens to have expertise in security. The security manager’s (CSO) role is to “enable” the business.

How is the economy currently affecting risk in the security industry?

Challenging strong security programs and eliminating or drastically changing others. During this economy, business needs to cut costs and security is one of the areas this should occur…with many others. It is important that business leaders understand their mechanism to understand risks is important and should be considered strongly in the program reduction process. If you eliminate the understanding of risks, you lose this portion of your “risk sight” – you are going blind? So, in my opinion, security’s value in this environment is derived from what they bring to the “risk conversation”. I am seeing risk intelligence departments keeping headcount or growing. Outside of that, costs will be reduced.

Do you see any new technology affecting the risk management or security industry as a whole?

Risk Management will be driven more and more by risk management software. With the size of large companies, frequent personnel changes and adaptation to new initiatives, software is the only consistency and analytical approach that makes sense. Risk intelligence systems will feed this ERM software along with operations, financial, etc.—risks. I am involved with RiskIQ.net which is an automated SAAS system producing risk intelligence and Steve Minsky at Logic Manager has developed a good system with new version developed constantly.

In the traditional security realm, smart edge devices and centralized multiplatform system will come together for centralized monitoring and control.

IT security risk management, will continue to see enhanced access control, early detection of risks and smart elimination of risks. State owned actors and/or criminals will increase IT threats to everyone with an increased perspective of how to monetize their operations.

What do you see changing in the risk management market over the coming years?

Increased recognition of the value of ERM, expansion of ERM programs and development of verticals within the ERM models— maturing the models for greater management of all risks with increased analytics. Professional associations I am familiar with, including: ASIS International (ASIS); Risk Insurance Management Society (RIMS); and Information Systems Audit and Control Association (ISACA) are taking leadership positions in the ERM arena. This will continue to grow.

Your new role on the Board of Directors with the IT Governance Institute (ITGI) with Information Systems Auditing and Control Association (ISACA) is a little bit of a change. Does this bring a new dimension to our discussion?

This is an opportunity to work with a leading professional society, ISACA in a meaningful way. The IT Governance Institute (ITGI) summary includes: “ it exists to assist enterprise leaders in their responsibility to ensure that IT goals align with those of the business, it delivers value, its performance is measured, its resources properly allocated and its risks mitigated. Through original research, symposia and electronic resources, the ITGI helps ensure that boards and executive management have the tools and information they need for IT to deliver against expectations”. ( http://www.isaca.org/Content/NavigationMenu/Governance/ITGI1/ITGI_info.htm )

So you can see how the idea of assuring enterprise leaders ensure goals align with those of the business is all about ERM, IF the business has embraced ERM. If not, the ITGI help prepare and educate the leaders of the many ways IT leaders can be an integral part of the business.

Can risk management be automated on an enterprise level?

Yes. No system stands out right now and the holistic model is ripe for the right company. RiskIQ has the risk intelligence system down, others have some management processes down- but no one doing it all.

You are a leader in the Cloud Security Alliance, what is this organization doing in the area of risk?
What a great group of thought leaders! Jim Reavis has brought together a great group who produced a significant white paper released at RSA… This volunteer community ( http://www.cloudsecurityalliance.org/ ) created an 83 page white paper covering key issues and provides advice fro both Cloud Computing customers and providers 15 strategic domains. More research is being done and through discussion groups and presentation provided on the topics are providing discussion in the market place to provide clarity” in the mist of a possibly confusing environment.

Security is thought of as predominately reactive and risk mitigation as preemptive, so how do the two mold in a Enterprise Risk Management (ERM) solution?

I see it a little differently. I see security’s overall strategies as “prevention and early warning”. I see law enforcement as “reactive, investigation and risk mitigation”. So, if we look at ERM as being both and all— ERM wants to receive prevention and early warning about risk— at the same time, some risk are recognized as they are occurring and then you examine how you will treat the risks. One summary of risk treatments which may be used in any combination is to… reduce; eliminate; ignore; transfer; accept and the new one-> exploit. So, I would suggest in the new ERM model, then name of “security” or “safety” or … may not keep their old names- maybe new names will emerge describing these roles in ERM?

What do you see as the security industry’s biggest challenge?

Old versus the new.

Actually a blend of both is needed. Old managers, old risks, old treatments, etc. will exist and continue to be around. Many existing Chief Security Officers (CSO) have been very successful and should continue contributing with their tried and true way- BUT, in combination with the new kid on the block, the new risks from technology, new systems, new processes, new countries, new economies, new financials, etc. The model for this may be the governments suggestion of using a new Systemic Risk Regulator, who can be the collection point, aggregator, central point of responsibility- Chief Risk Officer (CRO) to holistically understand all risk and assure they are being managed appropriately.

My previous ranting of the ERM models does not include a discussion of hierarchical old school organizational chart… but I suggest a new matrix of risk understanding can be applied back to an existing structure and be affective IF the right ERM CULTURE is developed. Risk is everyone’s responsibility.

I am on the board of the IT Governance Institute ( www.ITGI.org as a part of www.ISACA.org ) who has developed some good information around this topic of future challenges.

What do you believe is the largest growth area in security?

Intelligence, smart edge devices, smart software understanding normal and what is not. This applies to access control, surveillance, territoriality… in physical and cyber reality. After this RESET button was pushed (Economic Crisis: Hitting the ‘Reset’ Button By Sean Silverthorne ), the companies/governments that evaluate security using “zero base” and build back inside ERM will succeed 10 fold— my prediction.

How did you originally get involved in security and more specifically Risk Management?

I discussed this in parts earlier, but I was in loss prevention with JC Penny in the 1970’s, Law Enforcement in late 70’s and 80’s with NCNB (later became Bank of America) handling portions of security, operations and corporate real estate as a management training program. Bank management had an excellent sense for security’s role in business which I combined with my discussions of risk management to then start my company of Security Risk Management, Inc. twenty years ago. Security Risk Management has provided service all over the world.

With a focus on where physical security meets information security, what do you see in the future regarding Risk Management?

Physical security is being affected by the addition of smart technology. The older safe now has an electronic combination that can be networked. The camera or access control now resides on the intra or inter NET. There are new vulnerabilities from this new technology—some that have not been recognized yet. The AESRM.org did a study with both physical and IT professionals to examine some of these possible risks at http://aesrm.org/Convergent%20Sec%20Risks%20Physical%20Sec%20Systems.pdf Read through and think of some new ones we have not recognized yet.

I challenge the security vendors to be responsible in their development of new technology and software to fully test and put “warning labels” on the box identifying safe and unsafe configurations of the system on certain platforms, etc. They, of all parties, should be fully aware of the right way to use their technology.

In either case, the differences of these security sectors should be included in the ERM’s holistic view of risks. Whether security, IT or other equipment, process, etc. – the ERM program takes all into consideration. Dave Snowden’s view of “Scanning the Horizon” is important to recognize these risks and manage them early on.

Has Risk Management changed as a result of the War on Terror and the forming of the Department of Homeland Security?

The concepts of both of these has solid foundations, but my knowledge of the current structure and effectiveness of each is in the process of maturation. Many good people doing many good things, but due to separate departments, many people, bureaucracy, multi agencies, etc., the holistic view of risks is sometimes lost. Since 9 /11, intelligence agencies use the collaborative technology of wikis and common working space to arrive at common intelligence. This intelligence includes risks. My opinion- IF government can embrace ERM is a more aggressive way, many good results would occur in ALL areas of government.

How would a person go about obtaining more information on Enterprise Risk Management (ERM)?

Many agencies have information, but the professional associations are a good start. I have listed this below:
www.AESRM.org read all papers
www.asisonline.org reference the AESRM research papers
www.isaca.org search for “ERM” and many applicable reports, guidelines, etc. are provided.

How is the economy affecting your plans for future offerings?

Security Risk Management, Inc. consults with companies regarding security and security’s role in ERM. Our consulting projects dropped off significantly in February and now trying for the first time in 20 years to market and advertise- so we need your business- call us at 704.521.8401 or jspivey@srmsig.com

Additionally, my involvement with RiskIQ.net is related to business development for their technology in the security arena and in particular the Enterprise Risk Management space. Understanding risk is important for the ERM program and RiskIQ has great Semantic Web 3.0 technology. Contact me at jeff.spivey@riskiq.net

What is next for Jeff Spivey and Risk Management Inc?

Sell Sell Sell RiskIQ
Develop new business for Security Risk Management, Inc.
My involvement in the ITGI and further development of ERM, elearning training programs, risks management and security related speaking engagement, exploitation of the social media, spend time with my family…

Security Risk Management
5200 Park Road, Ste: 122
Charlotte, NC 28209
704-521-8401

Jeff on CSO Magizine>