Enterprise risk management: all systems go

ERM might seem a lofty concept, but Georgetown turns that concept into specific systems and projects that reduce risk

When Bill Badertscher arrived at Georgetown University three years ago, campuswide security was handled in several departments with little coordination among teams. It was time for a change. Badertscher is Georgetown's senior engineer for facility and safety control systems and leader of a new IT team that focuses on the same areas. The goal is to address enterprise risk management (ERM) by redefining it to include nontraditional systems. Understanding that security is mission-critical has led the University Safety and Information Services departments to work together in unprecedented ways.

Badertscher spoke with CSO about the program, as well as the challenges and changes he's encountered in helping bring Georgetown's ERM strategy up to speed.

CSO: Let's start with an overview of where Georgetown's ERM program was before you came on board. What were some of your first steps when you started in your current role?

Bill Badertscher: Georgetown had experienced several significant security project failures and data security breaches. So at a high level, it was recognized that a strategy was needed to address systems in the facilities and security spaces. That strategy was led by our CIO Dave Lambert and resulted in the formation of several new groups within IT.

Also see All hazards: Taking leadership to a new level

When I first came on board, a budget was established to immediately replace some legacy systems, including access control and video surveillance. However, early assessments identified a much wider range of needs; initial wish lists totaled more than $60 million in new spending. That level of funding isn't available, so it's been key to do risk assessments to prioritize our needs. These have focused our efforts on access control, video surveillance, emergency response and fire-protection systems.

What are some changes you've made?

Georgetown recognized early on the need for IT to take a leadership role in the replacement of departmental systems and independent cabling networks. Our data network has sufficiently matured to accommodate the power and communication needs of security and other systems. This is important because nearly all new systems today interface with the data network. Our philosophy is to leverage the data network as much as possible and closely manage data security along the way.

Our ERM program is not just about facility and security control systems. Along with my group, we have new groups responsible for scholarly information systems; research and regulatory administration; data security and policy; and advancement. So it's not just my group. It's actually a collection of new initiatives that are reaching out across the university to address enterprise risk. That includes facility and security control systems, but a lot of others as well.

What have been some of the bigger challenges along the way?

One of the bigger challenges when I got to Georgetown was the roles and responsibilities issue. In a very siloed environment, facilities have their own administration and they are very independent. So one of the immediate reactions was a lot of defensiveness among the folks in the departments wanting to know why information systems was stepping into what they thought of as their turf.

As a result, there's been a lot of education. We specifically are not trying to take over operations in those spaces, but we need to understand what their business needs are so we can put the proper technology in place to meet those business needs.

We've come up with a simplified model. The business units describe to us what they need, and then we describe how that is accomplished through technology. That's been very successful in helping to communicate to key stakeholders that we are actually partners.

You say legal principles are a driving force in your ERM strategy. Can you explain what you mean?

It goes back to prioritizing our risks. A lot of security spending decisions are made on an emotional basis or in response to incidents. But at the end of the day, the most significant risks we face are incidents that lead to lawsuits or have a negative impact on our reputation. Like our peers, Georgetown has defended against its share of lawsuits and has endured scrutiny by the media and parents. A key element that comes into play, for us, is understanding due care, which is the care that a reasonable person would exercise under the circumstances. Further, we practice due diligence to make sure the security controls we put in place are effectively operationalized and maintained.

There is also the matter of foreseeability. For example, if students were getting assaulted in particular areas of the campus, we can't turn a blind eye to those incidents. There is a lot of established case law that outlines what universities should be doing to protect parking lots, for example, or residence halls. So we have to make sure we are evaluating what our peers are doing and staying on top of best practices. The very real connection between what we are doing and how well it mitigates our risk is based on the legal consequences of what we do.

Various stakeholders across the university have their own ideas about what good security means. Some people want to put card readers everywhere. Some people want to put cameras everywhere. And some don't want either. We base our decisions on a clear understanding of the risks involved. This includes identifying our assets and assessing the threat environment and our vulnerabilities--and then communicating our plans.

Join the CSO newsletter!

Error: Please check your email address.

Tags risk managementeducationsecurity

More about Bill

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts