Anyone work as an Information Risk Analyst?

chickenlicken09

Do you like it and is there a good career path?

cyberguypr

As usual, what is you end goal? That's what you need to ask yourself in order to see how this role fits into the grand scheme of things.

We all know that titles mean nothing across companies but at least in my environment this is a non-technical paper pusher that is in charge of risk questionnaires and mundane stuff like that. The person does gap analysis, risk evaluation/ranking, compliance, etc. If you either like GRC or want to gain an understanding it, this is an OK role. If you are technical and do not like GRC, stay away. Again, see where you want to end up and see how this fits the agenda.

JoJoCal19

I've worked in Information Security Risk Management for a global bank, and actually have an offer coming in for an Information Security Risk Management Sr Mgr position. I love working on the GRC side. It comes pretty easily to me and I find it much easier to absorb frameworks and such than trying to absorb technical security stuff. My problem is I have ADD and I tend to get bored and that's why I've moved from GRC to technical security and back. To combat that I will just work on pentesting/dev/Linux stuff on my own and in my lab so that I can keep working in the GRC side of things going forward.

I'd recommend taking a read of NIST 800-37r1, ISO 31000, ISO 31010 for starters. See if you like those topics, and think you'd like to deal with that day to day.

Cyberscum

Well it all depends really. What do you want out of a career?

Its good, a bit boring for us ADD guys, but interesting for sure.

If you have time look at NIST 800-53 rev 4, CNSS 1253 and FIPS 199.

This will give u a good idea of how to categorize, dev security levels for and add security control to IS systems.

What space are you looking at breaking into?

UnixGuy

JoJoCal19 wrote: »

..To combat that I will just work on pentesting/dev/Linux stuff on my own and in my lab so that I can keep working in the GRC side of things going forward.

....

But if you're not going to use that technical knowledge for your job, why not do something else? either career related or even personal stuff/hobbies? Learning pentesting/linux is good, but if you have no use for it, then maybe doing something else is better - just a thought

JoJoCal19

UnixGuy wrote: »

But if you're not going to use that technical knowledge for your job, why not do something else? either career related or even personal stuff/hobbies? Learning pentesting/linux is good, but if you have no use for it, then maybe doing something else is better - just a thought

Funny you say that. I've been having an internal struggle the past 2-3 months over exactly that. This new job will probably be the final nail in that coffin. With the pay, title, and the job itself, it will probably be the final nudge away from doing that.

FSF150

That's pretty much what I do. It is not technical.

That being said, you get great exposure to all areas of information security (not just the sexy ones). This will benefit you in the future when you're ready for senior management. If you're into the cybersecurity stuff, you can develop good relationships with that team and work your way to a lateral transfer is something opens up.

I had no operational background in InfoSec so this path has been excellent for kickstarting my career.

beads

Its baked into my cake as everything gets some sort of risk management treatment. For that matter I ask/tell everyone they are risk managers throughout their entire lives. Rent or buy a house, credit card, etc. Its all about managing risk.

At the basic level. Very non-technical. At the highest levels needing a Ph. D. in statistics? Well, that's a whole different story. As I stated above its usually baked into many Security Engineers job descriptions as a matter of skillset. Separated as a position itself is likely already described by our esteemed colleges as a non-technical role.

- b/eads

NetworkNewb

beads wrote: »

Its baked into my cake

lol, I might have to steal that line

beads

@NetworkNewb;

Please do. I mean there are a great many number of tasks like this already part of my normal workday that you probably already do but no longer think of them as tasks. Risk management is also heavily baked into all ISO frameworks. Its just something you do without thinking about it.

- b/eads

mbarrett

FSF150 wrote: »

That's pretty much what I do. It is not technical.

Well, it is not hands-on technical. But from my own experience in that area, it helps a great deal to have that sort of knowledge & background, it will help you to understand the actual risk. You mentioned Operational background, and yes that's a great way to describe it - definitely not operational or hands-on technical.

FSF150

mbarrett wrote: »

Well, it is not hands-on technical. But from my own experience in that area, it helps a great deal to have that sort of knowledge & background, it will help you to understand the actual risk. You mentioned Operational background, and yes that's a great way to describe it - definitely not operational or hands-on technical.

Exactly. Someone who has the hands-on experience and can translate between computerese and "board-friendly language" will be successful in this role.