Guide to Careers in Cyber Risk Assessment and Management
Risk assessment and management is a business function that involves identifying an enterprise’s exposure to potential losses, taking actions to reduce the probability of financial and operational setbacks, and putting plans in place to mitigate the impact when and if those setbacks occur. In the realm of cybersecurity, risk assessment and management has a similarly strategic function. Cyber risk assessment and management professionals track cyber threats, perform information technology (IT) systems security assessments, and work to ensure that an enterprise/organization is prepared to mitigate and recover from attacks, incursions, and other events that can impact the function of vital cyber systems and/or compromise the integrity of the data protected by those systems.
When, for example, a new type of malware, a novel ransomware strategy, or another type of threat emerges in the cyber landscape, businesses, organizations, and government agencies with cyber assets to protect rely on risk assessment and management specialists to provide threat analyses, system hardening guidance, and strategic planning advice that limits risk exposure and reduces potential damage. Cyber risk assessment and management professionals also use their knowledge of common and emerging cyber system vulnerabilities to help ensure that enterprise IT systems, digital communication networks, databanks, and other system components meet industry security standards and thus present an acceptable level of risk exposure.
Employment Opportunities in Cyber Risk Assessment and Management
Cyber risk assessment and management is an area in which IT security concerns intersect with and are incorporated into the broader, top-down executive functions and strategic management of business enterprises, government agencies, and other types of organizations. It is, for example, common for organizations with large IT infrastructures and thus pressing cybersecurity concerns to have a chief technology officer (CTO) or another high-level executive whose responsibilities include the oversight and management of cyber risk mitigation planning. Government and military agencies and technology driven enterprises may appoint what the National Institute for Standards and Technology (NIST) and the Interagency Federal Cyber Career Pathways Working Group have designated as an Authorizing Official (AO). The AO is tasked with responsibilities that directly relate to operating cyber systems at what is deemed to be an acceptable level of risk and thus coordinates risk assessment and management functions.
Regardless of how an organization with IT assets and cybersecurity concerns is structured, the job of risk assessment and management is typically a team effort, drawing on the knowledge and skills of computer programmers and engineers, IT systems administrators and auditors, operations analysts, penetration testers, procurement specialists, and others who can identify and address cyber vulnerabilities. There are also independent contractors and cybersecurity firms who provide risk assessment, mitigation, and management services to government agencies, large and small businesses, and others with cybersecurity needs. Cyber risk management consultants may conduct system vulnerability scans, access logs and policies, and collect other relevant information or data in order to determine whether or not a client’s security protocols comply with industry standards, to assess IT system vulnerabilities, and to recommend and/or implement upgrades, security patches, and governance measures that reduce risk exposure.
There are thus a number of ways to enter and advance in the field of cyber risk assessment and management, most of which begin with gaining experience in one or more of the technical areas related to IT and cyber systems security. These areas include, but are not limited to, digital forensics, IT program auditing, malware research, penetration testing, security governance and compliance, systems security administration, and vulnerability analysis.
Among the designations for cybersecurity professionals who advance into risk analysis and management roles are the following:
- Cyber Risk Analyst
- Cyber Risk Consultants
- Security Control Assessor
Knowledge, Skills, and Abilities (KSAs) for Cyber Risk Assessment and Management Specialists
Assessing and managing cyber risk exposure requires familiarity with a broad range of enterprise IT systems, computer and mobile communication networks, specific types of cyber threats, and the tools, techniques, policies, and procedures that can successfully deter, defeat, and mitigate the impact of cyberattacks. Professionals in this field also benefit from a knowledge of risk management frameworks, government and industry standards for acceptable/responsible levels of risk exposure, and the interplay between operational imperatives and exposure to various types of potential threats.
The National Initiative for Cybersecurity Education (NICE), a public and private sector partnership operated under the auspices of the National Institute for Standards and Technology (NIST), maintains a Cybersecurity Workforce Framework (NICE Framework) that identifies 52 distinct work roles within the field of cybersecurity. For each of these work roles, the NICE Framework compiles dozens of knowledge, skills, and abilities (KSAs) that are commonly associated with employment in these specialized areas = within cybersecurity.
The sections below draw on the NICE Framework KSAs for Risk Management specialists designated within the Framework under the titles Security Control Assessor and Authorizing Official/Designating Representative, as well as on actual job listings for cyber risk analysts, risk consultants, and security control assessors.
General Technical Knowledge
- Capabilities and applications of major network hardware components, including routers, switches, bridges, servers, and transmission media
- Common cyber threats and vulnerabilities
- Common system and application security threats and vulnerabilities
- Computer code analysis tools
- Computer networking concepts and protocols, and network security methodologies
- Compiled and interpretive programming languages
- Controls related to the use, processing, storage, and transmission of data
- Cloud computing concepts and applications
- Cryptography and cryptographic key management
- Cyber defense and vulnerability assessment tools
- Data backup and recovery systems
- Network access, identity, authorization, and access management tools and procedures, including public key infrastructure, OAuth, OpenID, Security Assertion Markup Language (SAML), and Service Provisioning Markup Language (SPML)
- Operating system and application vulnerabilities
- Security system authentication, authorization, and access control methods
Cyber Risk Assessment and Management Knowledge and Skills
- Business continuity and disaster recovery planning methodologies
- Common coding flaws
- Common cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations
- Current industry methods for evaluating, implementing, and disseminating IT security assessment, monitoring, detection, and remediation tools
- Design modalities for security assessments
- IT security principles and methods
- IT supply chain security and supply chain risk management policies, requirements, and procedures
- Laws, regulations, policies, and ethics as they relate to cybersecurity and privacy
- Network systems management principles, models, methods, and tools
- Penetration testing and vulnerability scanning
- Qualitative and quantitative methods for analyzing, interpreting, and synthesizing raw data into intelligence products
- Risk management methodologies and procedures
- Security test data collection, verification, validation, and analysis methods
- Systems diagnostic tools and fault identification techniques
- Virtual machines, such as Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, and Amazon Elastic Compute Cloud
- Vulnerability information dissemination sources, including alerts, advisories, errata, and bulletins
Additional Abilities
- Ability to ask clarifying questions
- Ability to answer technical questions clearly and concisely
- Ability to communicate complex information, concepts, and ideas verbally and through written and visual media
- Ability to dissect problems and examine interrelationships between data that may appear unrelated
- Ability to facilitate group discussions
- Ability to translate data and test results into evaluative conclusions
- Instructional and training exercise design and development methods
- Skill at preparing and presenting professional briefings
- Skill at producing technical documentation
Training and Credentials in Cyber Risk Assessment and Management
Cyber risk assessment and management professionals draw on technical knowledge related to enterprise IT and communication systems, information/data security tools and techniques, and cyber threats, as well as on KSAs in areas such as organizational management, professional communication, critical thinking, and problem solving. There are many ways to cultivate these technical and professional proficiencies, including academic programs, on-the-job training and experience, and industry specific certifications and credentials. Typically, specialists in cyber risk assessment and management cultivate a skillset that combines an understanding of business management and operations principles with a broad knowledge of the technologies associated with cyber systems and their security.
The sections below detail some of the more common pathways for attaining this base of knowledge, including academic programs (bachelor’s degrees, master’s degrees, and graduate certificates), bootcamps, and training programs designed to prepare professionals for industry certifications.
Bachelor’s, Master’s, and Graduate Certificate Programs in Cyber Risk Assessment and Management
Senior-level positions in risk assessment and management generally require a minimum of a bachelor’s degree and significant professional experience in IT security, cyber governance, information security compliance, cyber systems auditing, and/or vulnerability analysis. However, the pathway to a career in cyber risk assessment and management generally begins with formal training in computer science and business/organizational management. Thus, a bachelor’s degree in computer science, information systems, or business administration with coursework in IT systems, computer programming, and/or cybersecurity can provide a solid foundation for entry-level work in cyber risk assessment and management. There are also many schools that now offer a designated major in cybersecurity for students pursuing a bachelor’s degree.
At the graduate level there are many schools that offer master’s programs in cybersecurity, information assurance, cyber governance, digital forensics, and related areas that have direct applications in cyber risk assessment and management. Many of these programs touch on risk management frameworks for cybersecurity, and some have designated specializations in cyber risk management. There are also Master of Business Administration (MBA) programs that give students the option of specializing in cybersecurity by taking several courses in cybersecurity topics.
Another option for students who already have a bachelor’s degree and who want to receive academic training in cybersecurity and cyber risk management without enrolling in a full master’s program are graduate certificate programs. Cybersecurity graduate certificate programs typically consist of three, four, or five courses designed to prepare students for specific types of work, including risk analysis, risk assessment, and risk management. In fact, there are several schools that offer cybersecurity risk management and strategy graduate certificate programs.
Professional Credentials and Certifications in Cyber Risk Assessment and Management
Outside of academia, there are non-profit professional organizations and for-profit companies that provide training and certification programs in a broad range of cybersecurity specializations. Holding a professional certification can be advantageous in that some employers prefer applicants for particular jobs to have these credentials. Among the private companies that offer certifications in areas related to cyber risk analysis and management are the SANS Institute, which has several certifications related to cyber risk assessment and management that are offered through the Institute’s Global Information Assurance Certification (GIAC) program. These include: GIAC Strategic Planning, Policy, and Leadership (GSTRT); GIAC Systems and Network Auditor (GSNA); and GIAC Critical Controls Certification (GCCC).
ISACA, a non-profit professional association that was formally known as the Information Systems Audit and Control Association, offers two certifications that have applications in cyber risk assessment and management: Certified Information Systems Auditor (CISA); and Certified in Risk and Information Systems Control (CRISC). These credentials are included below in the list of certifications that can be helpful in the field of cyber risk assessment and management.
- Certified Information Systems Auditor (CISA), and Certified in Risk and Information Systems Control (CRISC), offered by ISACA
- Certified SOC (Security Operations Center) Analyst, offered by the International Council of Electronic Commerce Consultants (EC-Council)
- GIAC Strategic Planning, Policy, and Leadership (GSTRT), GIAC Systems and Network Auditor (GSNA), and GIAC Critical Controls Certification (GCCC), offered by the SANS Institute
Examples of Jobs in Cyber Risk Assessment and Management
The following section provides examples of the types of jobs that are commonly available in the field of cyber risk assessment and management. Each of the examples below is a composite of actual listings for open positions in cyber risk assessment and management. These examples are meant to provide a representative overview of the skills employers are seeking and typical job responsibilities associated with work in this cybersecurity specialization.
Cyber Risk Analyst
- Primary Responsibilities: Conduct client security assessments and policy reviews; process and prioritize client security requests, to include cybersecurity assessments, questionnaires, policy reviews, penetration tests, and testing documentation; provide clients with cyber risk analysis reports; and advise clients on risk remediation/mitigation strategies.
- Education: Bachelor’s or graduate degree in information security, computer science, business, or a related field.
- Experience: Five or more years conducting cybersecurity assessments, policy reviews, penetration testing, and security review reports.
- Credentials: GIAC cybersecurity credential preferred.
- Technical Proficiencies: Penetration testing and vulnerability scanning tools; common security and risk management controls for business IT systems; governance risk and compliance (GRC) tools and processes; and Vendor Risk Management (VRM) and Third-Party Risk Management (TPRM) procedures and programs.
- Other Attributes: Technical and non-technical communication skills; technical and non-technical writing skills; and interpersonal communication and client relationship skills.
Security Control Assessor
- Primary Responsibilities: Create systems and applications security test plans; perform security tests that mimic adversarial tactics; analyze test results and suggest mitigation plans for security risks; provide risk assessment and mitigation reports to senior decision makers in which system vulnerabilities are identified, test procedures are documented, and remediation strategies are recommends; and assist in researching, evaluating, and developing relevant cyber governance policies.
- Education: Bachelor’s degree required.
- Experience: Ten or more years of experience in cybersecurity, penetration testing, cyber research, and/or IT security management preferred.
- Credentials: None specified.
- Technical Proficiencies: Windows operating systems installations; Linux operating systems; wireless and virtual platforms; network architectures and network management tools; and risk management methodologies.
- Other Attributes: Technical writing skills; and the ability to communicate technical information to non-technical clients and stakeholders.
Cybersecurity Risk Consultant
- Primary Responsibilities: Support cybersecurity engagement team in strategy, risk, compliance, and resilience matters; participate in the assessment of cybersecurity controls, programs, and strategies; and assist with NIST Risk Management Framework and Assessment and Authorization enhancement, operations, and governance.
- Education: Bachelor’s degree in computer science, information systems, cybersecurity, or a related field.
- Experience: Two or more years in IT/cybersecurity for applicants with a bachelor’s degree; one year for applicants with a master’s degree in computer science, cybersecurity, or information systems management.
- Credentials: None specified.
- Technical Proficiencies: Cybersecurity assessment tools; IT and cybersecurity policies, standards, procedures, and controls; cybersecurity and risk management solution design and implementation tools, such as SNOW IRM, Archer GRC, RiskLens, and Azure Security Center; and knowledge of IT and cloud systems architecture.
- Other Attributes: Interpersonal communication skills; technical writing skills; and the eligibility for government security clearance.
Enterprise Risk Management Subject Matter Expert
- Primary Responsibilities: Provide technical leadership and cybersecurity expertise in matters related to homeland security threats; develop solutions to emerging cyber threats; research and document cyberattack methodologies; create risk management decision-making matrixes; and develop workshops and training materials to implement risk reduction strategies.
- Education: Bachelor’s degree in a relevant technical field.
- Experience: Five or more years working with federal agencies and related enterprises in matters regarding cybersecurity risk management.
- Credentials: None specified.
- Technical Proficiencies: IT system infrastructure and application development; Federal Enterprise Risk Management policies, practices, and requirements; knowledge of relevant regulations, statutes, and laws regarding information security, including the Federal Information Security Management Act (FISMA); familiarity with the NIST Risk Management Framework; security and risk assessment strategies and tools for large scale mission systems; and cybersecurity engineering, support, analysis, documentation, and/or validation skills and knowledge.
- Other Attributes: Exceptional interpersonal and relationship-building skills with people at all levels of an organization; ability to navigate strong personalities using communication skills; and the ability to obtain public trust clearance.