IT Security Risk Management Course/Studying

Hey Forum:

During my time working in security, the main thing I am seeing is conveying and being able to communicate the business risk. It is a weakness of mine and I need to grow in that area if I want to get to my next level in my career. Does anyone know of any good course, book or certification that can help with understanding business risk or even risk management in general? Thanks!

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

UnixGuy

Great question. Apart from CISSP, I'm not too sure. I did some risk assessment, and just had to follow the existing procedure in place (i.e. looked at existing document for a previous project and used it as a template for the next one..).

tedjames

www.cybrary.it has some great, free risk management training.

JoJoCal19

The absolute BEST resources are probably going to be the CRISC and CISM Review Manuals from ISACA (I own them and a bunch of other related books). The cheapest, but still good options are going to be Security Risk Management: Building an Information Security Risk Management Program from the Ground Up and Information Security Risk Assessment Toolkit: Practical Assessments through Data Collection and Data Analysis (I own these as well).

[Deleted User]

Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!

TheFORCE

kMastaFlash wrote: »

Awesome!! Thanks guys!! Yeah I'm always being told say I find x vulnerability, "what is the risk". It sucks since it is holding me back from moving forward but need to get that part nailed down!

The CISM or CRISC will not help you with addressing what is the risk with X vulnerability. Their risk focuses more on business risk which is a bit higher on the list of the risk you are trying to identify.

[Deleted User]

@TheFORCE Any suggestions then on learning/understanding the business risk?

TheFORCE

kMastaFlash wrote: »

@TheFORCE Any suggestions then on learning/understanding the business risk?

Yes, start with identifying critical assets and critical areas of the network. And assign criticality to them, come up with your own numbers or looks up some risk assessment templates and methodologies.

For example lets say you have an internal server that hosts an application that internal users use on a daily basis, if this server goes go then people wont be able to worl for x amount of time. On top of that this server also processes sensitive customer information. You scan the server and you find xyz vulnerability. What you need to do at this point you need to find the severity of the vulnerability. Most vulnerability scanning tools will give you the info. Next you research how this vulnerability can be exploited. You find out that this is a RCE (Remote code execution) vulnerability .

Now you go back to your boss and you say... You have a RCE vulnerability that could allow an attacker to execute code on your server plus this server is a high criticality server that processes sensitive information. If the vulnerability gets exploited you are faced with losing all that sensitive information.

At this point your boss will say ok, is it worth the effort to fix it, update it, patch that server how much will it cost vs how much it will cost if we dont. Now you are at the stage where theu can talk business risk. That's a bit simplistic but I hope you get my point.

Start with reading about risk assessments and calculating qualitative vs quantitative Risk. Move higher from there. Then read CISM and CRISC but first you need to understand the risk of a vulnerability and do a vulnerability assessment in order to translate that into business risk.

TechGuru80

kMastaFlash wrote: »

@TheFORCE Any suggestions then on learning/understanding the business risk?

Business risk varies by industry, location, climate, etc....so you need to understand things like business objectives, competitors, and technology utilized for starters. For example, government will be worried about nation-state attackers but a fishing company is unlikely to be concerned with that...thus the controls will be different because they face different threats.

To learn about understanding risk from a high level and potential ways to manage it...you can study CRISC / CISA, NIST SP 800 series (837, 53, 53A, etc.), and COBIT will get you started.

It's important to understand that there is no one size fits all approach, and the solution is not always technical...so you won't see a lot of specific technologies listed.