IT Security Risk Management Course/Studying

[Deleted User][Deleted User] Senior MemberPosts: 0 ■■□□□□□□□□
Hey Forum:

During my time working in security, the main thing I am seeing is conveying and being able to communicate the business risk. It is a weakness of mine and I need to grow in that area if I want to get to my next level in my career. Does anyone know of any good course, book or certification that can help with understanding business risk or even risk management in general? Thanks!

Comments

  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Great question. Apart from CISSP, I'm not too sure. I did some risk assessment, and just had to follow the existing procedure in place (i.e. looked at existing document for a previous project and used it as a template for the next one..).
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • tedjamestedjames Member Posts: 1,182 ■■■■■■■■□□
    www.cybrary.it has some great, free risk management training.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    The absolute BEST resources are probably going to be the CRISC and CISM Review Manuals from ISACA (I own them and a bunch of other related books). The cheapest, but still good options are going to be Security Risk Management: Building an Information Security Risk Management Program from the Ground Up and Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (I own these as well).
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!

    The CISM or CRISC will not help you with addressing what is the risk with X vulnerability. Their risk focuses more on business risk which is a bit higher on the list of the risk you are trying to identify.
  • [Deleted User][Deleted User] Senior Member Posts: 0 ■■□□□□□□□□
    @TheFORCE Any suggestions then on learning/understanding the business risk?
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    @TheFORCE Any suggestions then on learning/understanding the business risk?

    Yes, start with identifying critical assets and critical areas of the network. And assign criticality to them, come up with your own numbers or looks up some risk assessment templates and methodologies.

    For example lets say you have an internal server that hosts an application that internal users use on a daily basis, if this server goes go then people wont be able to worl for x amount of time. On top of that this server also processes sensitive customer information. You scan the server and you find xyz vulnerability. What you need to do at this point you need to find the severity of the vulnerability. Most vulnerability scanning tools will give you the info. Next you research how this vulnerability can be exploited. You find out that this is a RCE (Remote code execution) vulnerability .

    Now you go back to your boss and you say... You have a RCE vulnerability that could allow an attacker to execute code on your server plus this server is a high criticality server that processes sensitive information. If the vulnerability gets exploited you are faced with losing all that sensitive information.

    At this point your boss will say ok, is it worth the effort to fix it, update it, patch that server how much will it cost vs how much it will cost if we dont. Now you are at the stage where theu can talk business risk. That's a bit simplistic but I hope you get my point.

    Start with reading about risk assessments and calculating qualitative vs quantitative Risk. Move higher from there. Then read CISM and CRISC but first you need to understand the risk of a vulnerability and do a vulnerability assessment in order to translate that into business risk.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    @TheFORCE Any suggestions then on learning/understanding the business risk?
    Business risk varies by industry, location, climate, etc....so you need to understand things like business objectives, competitors, and technology utilized for starters. For example, government will be worried about nation-state attackers but a fishing company is unlikely to be concerned with that...thus the controls will be different because they face different threats.

    To learn about understanding risk from a high level and potential ways to manage it...you can study CRISC / CISA, NIST SP 800 series (837, 53, 53A, etc.), and COBIT will get you started.

    It's important to understand that there is no one size fits all approach, and the solution is not always technical...so you won't see a lot of specific technologies listed.
Sign In or Register to comment.