Anyone work as an Information Risk Analyst?

chickenlicken09chickenlicken09 Member Posts: 537 ■■■■□□□□□□
Do you like it and is there a good career path?

Comments

  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    As usual, what is you end goal? That's what you need to ask yourself in order to see how this role fits into the grand scheme of things.

    We all know that titles mean nothing across companies but at least in my environment this is a non-technical paper pusher that is in charge of risk questionnaires and mundane stuff like that. The person does gap analysis, risk evaluation/ranking, compliance, etc. If you either like GRC or want to gain an understanding it, this is an OK role. If you are technical and do not like GRC, stay away. Again, see where you want to end up and see how this fits the agenda.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    I've worked in Information Security Risk Management for a global bank, and actually have an offer coming in for an Information Security Risk Management Sr Mgr position. I love working on the GRC side. It comes pretty easily to me and I find it much easier to absorb frameworks and such than trying to absorb technical security stuff. My problem is I have ADD and I tend to get bored and that's why I've moved from GRC to technical security and back. To combat that I will just work on pentesting/dev/Linux stuff on my own and in my lab so that I can keep working in the GRC side of things going forward.

    I'd recommend taking a read of NIST 800-37r1, ISO 31000, ISO 31010 for starters. See if you like those topics, and think you'd like to deal with that day to day.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Well it all depends really. What do you want out of a career?

    Its good, a bit boring for us ADD guys, but interesting for sure.

    If you have time look at NIST 800-53 rev 4, CNSS 1253 and FIPS 199.

    This will give u a good idea of how to categorize, dev security levels for and add security control to IS systems.

    What space are you looking at breaking into?
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    JoJoCal19 wrote: »
    ..To combat that I will just work on pentesting/dev/Linux stuff on my own and in my lab so that I can keep working in the GRC side of things going forward.

    ....

    But if you're not going to use that technical knowledge for your job, why not do something else? either career related or even personal stuff/hobbies? Learning pentesting/linux is good, but if you have no use for it, then maybe doing something else is better :) - just a thought
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    UnixGuy wrote: »
    But if you're not going to use that technical knowledge for your job, why not do something else? either career related or even personal stuff/hobbies? Learning pentesting/linux is good, but if you have no use for it, then maybe doing something else is better :) - just a thought

    Funny you say that. I've been having an internal struggle the past 2-3 months over exactly that. This new job will probably be the final nail in that coffin. With the pay, title, and the job itself, it will probably be the final nudge away from doing that.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • FSF150FSF150 Member Posts: 119 ■■■□□□□□□□
    That's pretty much what I do. It is not technical.

    That being said, you get great exposure to all areas of information security (not just the sexy ones). This will benefit you in the future when you're ready for senior management. If you're into the cybersecurity stuff, you can develop good relationships with that team and work your way to a lateral transfer is something opens up.

    I had no operational background in InfoSec so this path has been excellent for kickstarting my career.
    First we drink the coffee. Then we do the things. :neutral:
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    Its baked into my cake as everything gets some sort of risk management treatment. For that matter I ask/tell everyone they are risk managers throughout their entire lives. Rent or buy a house, credit card, etc. Its all about managing risk.

    At the basic level. Very non-technical. At the highest levels needing a Ph. D. in statistics? Well, that's a whole different story. As I stated above its usually baked into many Security Engineers job descriptions as a matter of skillset. Separated as a position itself is likely already described by our esteemed colleges as a non-technical role.

    - b/eads
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    beads wrote: »
    Its baked into my cake

    lol, I might have to steal that line
  • beadsbeads Member Posts: 1,533 ■■■■■■■■■□
    @NetworkNewb;

    Please do. I mean there are a great many number of tasks like this already part of my normal workday that you probably already do but no longer think of them as tasks. Risk management is also heavily baked into all ISO frameworks. Its just something you do without thinking about it.

    - b/eads
  • mbarrettmbarrett Member Posts: 397 ■■■□□□□□□□
    FSF150 wrote: »
    That's pretty much what I do. It is not technical.

    Well, it is not hands-on technical. But from my own experience in that area, it helps a great deal to have that sort of knowledge & background, it will help you to understand the actual risk. You mentioned Operational background, and yes that's a great way to describe it - definitely not operational or hands-on technical.
  • FSF150FSF150 Member Posts: 119 ■■■□□□□□□□
    mbarrett wrote: »
    Well, it is not hands-on technical. But from my own experience in that area, it helps a great deal to have that sort of knowledge & background, it will help you to understand the actual risk. You mentioned Operational background, and yes that's a great way to describe it - definitely not operational or hands-on technical.

    Exactly. Someone who has the hands-on experience and can translate between computerese and "board-friendly language" will be successful in this role.
    First we drink the coffee. Then we do the things. :neutral:
Sign In or Register to comment.