Options

IT Security Risk Management Course/Studying

[Deleted User][Deleted User] Senior MemberPosts: 0 ■■□□□□□□□□
in IT Jobs / Degrees
Hey Forum:

During my time working in security, the main thing I am seeing is conveying and being able to communicate the business risk. It is a weakness of mine and I need to grow in that area if I want to get to my next level in my career. Does anyone know of any good course, book or certification that can help with understanding business risk or even risk management in general? Thanks!
· Share on FacebookShare on Twitter

Comments

  • Options
    UnixGuyUnixGuy Mod Posts: 4,565 Mod
    Great question. Apart from CISSP, I'm not too sure. I did some risk assessment, and just had to follow the existing procedure in place (i.e. looked at existing document for a previous project and used it as a template for the next one..).
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

    · Share on FacebookShare on Twitter
  • Options
    tedjamestedjames Member Posts: 1,179 ■■■■■■■■□□
    www.cybrary.it has some great, free risk management training.
    · Share on FacebookShare on Twitter
  • Options
    JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    The absolute BEST resources are probably going to be the CRISC and CISM Review Manuals from ISACA (I own them and a bunch of other related books). The cheapest, but still good options are going to be Security Risk Management: Building an Information Security Risk Management Program from the Ground Up and Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (I own these as well).
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
    · Share on FacebookShare on Twitter
  • Options
    [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!
    · Share on FacebookShare on Twitter
  • Options
    TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    kMastaFlash wrote: »
    Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!

    The CISM or CRISC will not help you with addressing what is the risk with X vulnerability. Their risk focuses more on business risk which is a bit higher on the list of the risk you are trying to identify.
    · Share on FacebookShare on Twitter
  • Options
    [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    @TheFORCE Any suggestions then on learning/understanding the business risk?
    · Share on FacebookShare on Twitter
  • Options
    TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    kMastaFlash wrote: »
    @TheFORCE Any suggestions then on learning/understanding the business risk?

    Yes, start with identifying critical assets and critical areas of the network. And assign criticality to them, come up with your own numbers or looks up some risk assessment templates and methodologies.

    For example lets say you have an internal server that hosts an application that internal users use on a daily basis, if this server goes go then people wont be able to worl for x amount of time. On top of that this server also processes sensitive customer information. You scan the server and you find xyz vulnerability. What you need to do at this point you need to find the severity of the vulnerability. Most vulnerability scanning tools will give you the info. Next you research how this vulnerability can be exploited. You find out that this is a RCE (Remote code execution) vulnerability .

    Now you go back to your boss and you say... You have a RCE vulnerability that could allow an attacker to execute code on your server plus this server is a high criticality server that processes sensitive information. If the vulnerability gets exploited you are faced with losing all that sensitive information.

    At this point your boss will say ok, is it worth the effort to fix it, update it, patch that server how much will it cost vs how much it will cost if we dont. Now you are at the stage where theu can talk business risk. That's a bit simplistic but I hope you get my point.

    Start with reading about risk assessments and calculating qualitative vs quantitative Risk. Move higher from there. Then read CISM and CRISC but first you need to understand the risk of a vulnerability and do a vulnerability assessment in order to translate that into business risk.
    · Share on FacebookShare on Twitter
  • Options
    TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    kMastaFlash wrote: »
    @TheFORCE Any suggestions then on learning/understanding the business risk?
    Business risk varies by industry, location, climate, etc....so you need to understand things like business objectives, competitors, and technology utilized for starters. For example, government will be worried about nation-state attackers but a fishing company is unlikely to be concerned with that...thus the controls will be different because they face different threats.

    To learn about understanding risk from a high level and potential ways to manage it...you can study CRISC / CISA, NIST SP 800 series (837, 53, 53A, etc.), and COBIT will get you started.

    It's important to understand that there is no one size fits all approach, and the solution is not always technical...so you won't see a lot of specific technologies listed.
    Security Certification Roadmap
    · Share on FacebookShare on Twitter
Sign In or Register to comment.