How Exelon Corp Managed Security Risk
Whether you are a large or small company, having a security risk management plan in place is critical to the health of your business. Your team needs to know how to mitigate security risks in all areas, and what steps to take should one arise. Today, we’ll look at a case study from Exelon Corp, the top clean power provider in the United States, and how it managed to successfully reduce its risk of crime, fraud, and other potential risks.
Exelon’s Approach to Security Risk Management
Exelon is a vast, complex company with nearly 30,000 employees, $86.8 billion in assets, and a revenue stream of $27 billion. This enterprise company faces physical and cyber threats on a regular basis. To mitigate these risks, the company established a Chief Security Officer position and placed long-time Exelon employee Mary Ludford in the role.
Ludford’s full title is Vice President and Deputy Chief Security Officer for the Corporate and Information Security Services (CISS) business unit at Exelon. Under Ludford’s leadership, the CISS, which is the company’s security risk management team, oversees security in four primary areas:
- Physical security
- Information security
- Security operations support
- Security risk and intelligence
The CISS team prevents, detects, and responds to the company’s security risks in each of these four areas.
Security Challenges that Exelon Faced
While this structure sounds good on paper, was Exelon able to implement it? According to Managing Security Strategist, Spencer Wilcox, the biggest challenge Exelon faced with its new security risk management plan was how to enforce its standards. So the CISS team began creating metrics to use as a guideline to help them understand how the different business units in this enterprise company were implementing the new security measures.
These metrics provided a baseline by which the CISS team could evaluate and rank the different units against each other to how well each one was ready to withstand an attack – physical or cyber. Exelon created a list of five key metrics that it used to assess how well the various business units were in enforcing security conformance. Exelon’s current metrics are:
- Detection occurrence used to measure cyber incidents.
- Physical vulnerability used to assess how vulnerable the company’s physical sites are and what is being done to reduce these vulnerabilities.
- Business continuity planning to assess the current state of Exelon’s business continuity plans and how prepared they are to keep running even if there is an emergency event.
- Industrial control systems measure how many industrial control system advisories are in place as well as the number of alerts, blocks, occurrences, and actual incidents.
- Data loss prevention to calculate the number of events that trigger a potential data loss issue.
Mitigating Risk is Crucial to Company Success
This case study on Exelon demonstrates a solid plan that allowed a very large, enterprise company to manage its security risks across the board in a systematic and controlled way. As Chief Security Officer, Mary Ludford explains in an article for Security Magazine, “It comes down to the Control Performers, who are responsible for ensuring that the controls are actually performed. That can be difficult to do in a large company with a significant footprint.”
However, she said that it takes a “two-way conversation and a disciplined approach to ensure that the people who help us protect the environment are aware, knowledgeable, and performing.”
And with these measures in place, Exelon has been successful in training, educating, and holding people at various levels of the company responsible for security risk management.
Does your company have a plan in place for security risk management? Pro-Vigil can help. We are the undisputed leaders in the security space. Contact us today to get a free quote.