Learn the Skills of a Cybersecurity Risk Manager
After completing this unit, you’ll be able to:
- Describe the responsibilities of a cybersecurity risk manager.
- List key skills of a cybersecurity risk manager.
Are you a great analyzer, influencer, and problem solver? Do you enjoy understanding threats and analyzing data to better understand risk? Do you like to come up with action-oriented improvement plans? If so, managing cybersecurity risks can be the perfect job for you!
Let’s meet David. He is a cybersecurity risk manager at a cybersecurity services company. David identifies and analyzes risks facing the organization and its systems, and then he prioritizes the most likely and impactful cybersecurity risks. He understands threats and challenges facing the organization, and gathers and uses data to assess risks to the business. His goal is to enable business system owners, executives, and other stakeholders to make risk-informed decisions to manage risks at an acceptable level.
David has a challenging but pivotal role. According to a recent article by the World Economic Forum, cyber risks are both highly likely and highly impactful. It’s his job to try to mitigate risks by working with key stakeholders and leadership to lessen the likelihood and impact of a given risk.
In doing so, David has to balance risks and rewards, much like someone carefully balances while walking across a tightrope. His company faces many threats to its valuable systems and data, such as denial of service attacks from malicious actors who want to overwhelm his servers so that his customers cannot access them. He also has a limited amount of financial, staff, and technological resources to address the risks posed by these threats. Once he has worked with partners to identify the most likely and highly impactful risks, it’s his job to help the organization prioritize risks in a logical way.
David likes understanding how all the pieces of the risk puzzle in his organization fit together. He researches frameworks applicable to his given industry and uses them to assess the current protections and provide opportunities for improvements, in order to manage risks to an acceptable level. He also works with teams across the business to help them improve their risk posture. He makes sure each part of the organization understands its role in managing risk. Once he and his partners have assessed their risk and current protections, he advises system owners on the implementation of technical controls to help mitigate risk, and documents risk decisions for the organization.
David is like a detective who constantly searches for clues about the current risk posture of his company. Once mitigations have been put in place, he gathers data to help monitor the organization’s risk posture, and forms close relationships across the business to validate and assess the risk posture accurately. He has his finger on the pulse of the organization's risk posture at any given moment, and recognizes problems early. His work is never done, and he evolves his strategy for managing risk as the threat and technology landscapes evolve.
So, like David, you’re ready to understand the threats against organizations and figure out how to thwart them in order to buy-down risk. What skills do you need to land your dream job?
First, it helps to have a bachelor’s degree. Your degree doesn’t have to be in a specific area, but risk managers often have an educational background in computers, information science, engineering, systems analysis, information technology, cybersecurity, or even accounting. There are also certifications you can pursue to bolster your security skills, including the Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or Certified in Risk and Information Systems Control (CRISC) certifications, to name a few.
In terms of technical skills, as a cybersecurity risk manager you are a great analyzer, who understands cybersecurity and technology, systems management, and project management. You have skills in quantitative and qualitative data analysis, threat modeling, and scenario analysis. Risk modeling is another great skill to have, even if you’ve practiced it in another industry, such as finance.
Technical skills help you as a risk manager understand and solve security problems, but you must also have business know-how. You use your influence and persuasion skills to advise on decisions with significant organizational impact. You are a great communicator who enjoys collaborating to get things done and advocate for security best practices. You like building trust and consensus across organizational teams, and you are both detail-oriented and think strategically to solve problems.
Finally, as a cybersecurity risk manager, you have a passion for researching, analyzing, and applying different regulatory and policy frameworks to help your organization meet industry standards in an efficient manner. Some of the most common frameworks you should be familiar with are the General Data Protection Regulation (GDPR), National Institute of Standards and Technology (NIST) Cybersecurity Framework, and ISO/IEC 27001/2 Information Technology standards, although there are many more to learn about!
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, arrange the list of items in the right-hand column in the correct sequence by dragging them to the left in the order in which they should occur. When you finish ordering all the items, click Submit to check your work. To start over, click Restart.
In this module, you’ve been introduced to the goals of managing cybersecurity risk, learned more about the importance of managing risk, and discovered the responsibilities and skills of a cybersecurity risk manager. In the next module, you learn how as a cybersecurity risk manager you identify risks and protect the organization. You also learn how you work across teams to detect risks and respond and recover from incidents. To learn more about cybersecurity and meet practitioners in the field, visit the Cybersecurity Learning Hub.