Any risk managers here?

E Double U

Hey guys,

I have received an offer from our info risk mgmt team and want to know how others experience this field. As a security practioner of course I am not new to risk response (acceptance, mitigation, etc), but it has not been my primary focus. I would really like to hear from someone that does this full time to know what it is like in the day of.

I would likely begin the role in September so if there is any recommended reading or videos to watch then please feel free to drop your suggestions here. 

Background: networking, incident response, consultancy

JDMurray

I have no hands-on experience in Risk Management and would welcome a rousing discussion from RM people!

E Double U

Hopefully I can get some tips before I get the hands on LOL

UnixGuy

Well I've been in it but from an InfoSec angle, I also worked in a Big4 in the risk assurance function and dealt a lot with them

The methodology that you use to do 'infosec risk assessment' is the same method that you'd use to carry out other types of risk assessments.

"Risk Management" is very broad, what exaclty is your role? Line1 / 2 / 3? audit? analyst? do you have a separate compliance department ? do you work under legal?

I don't know what your role would be and what's your scope, but you need to get comfortable working with auditor, compliance, legal, and finance. Big part of the job I found is communication skills. 

The job might entail documenting audit findings, following up on audit remediations, communicating/reporting to audit/risk committees or execs, maintaining a risk register.

if you have a line 2 risk manager (or if that's your role), you'll need to validate that controls are operating effectively, and you need to challenge what's implemented

your job might to conduct risk assessments for projects (depends on the business you're in).

If you tell us more about your scope or your job description I can help you more

Overall, this is where I took my career to because I just didn't wanna be called at 3:00am about a security incident and I got tired of chasing the latest IOC and malware. It's more structured and I started to enjoy

JDMurray

What about the differences in the "form and function" of information produced by different RM teams? For example, RM people working in a finance department will produce RM information that is different from the RM people working in a cybersecurity threat intelligence department. An RM person needs to know how to analyze and produce RM information in form and content that is usable by their specialized department.

UnixGuy

JDMurray said:

What about the differences in the "form and function" of information produced by different RM teams? For example, RM people working in a finance department will produce RM information that is different from the RM people working in a cybersecurity threat intelligence department. An RM person needs to know how to analyze and produce RM information in form and content that is usable by their specialized department.

That's correctr and it depends on the size of the organisation, sometimes a risk manager will have a risk analyst that interprets financial audit findings, and sometimes it's the same person. I don't have extensive financial training but I'm able to interpret financial risks. Risk managers don't need to be experts in every area, but some basic knowledge helps.

Some organisations can afford to have InfoSec Risk managers, others just have one person running around doing everything and they rely on third parties to offer such service.

Broad finance knowledge always helps, but knowledge of the industry also helps as there are different regulatory requirements

scasc

Pretty much what I do day in day out. Day involves reviewing and undertaking risk analysis against whatever is in scope - be that a new system, web app, network tech, cloud etc and articulating gaps to policy and best practices. Key thing is to specify the likelihood which comes about due to the possibility of the threat actor exploiting a vulnerability (materiality of vulnerability) and the impact which depends on sensitivity of data or operations being exploited. 

Role pretty much involves interviewing stakeholders to get the information, understanding and reading up on frameworks, compliance standards, understanding policies and standards, depending on your role could involve taking a quantitative approach to show dollar loss of value. 

To prove design effectiveness on controls you would check policies exist for the controls and operating effectiveness is testing the controls. This may include sampling, collection of evidence etc. Writing working papers is key as well as final report.

It’s certainly not for everyone as one might get bored but hopefully this helps. 

JDMurray

How is quantitative versus qualitative data created and used? For example, can you actually quantify the annual likelihood of a (as of yet undiscovered) zero-day exploit successfully impacting an Internet-exposed system? We've all seen the ALE/SLE/ARO math on cert exams, but where do the real numbers come from to plug into those calculations?

scasc

There is a methodology called open fair. That advocates the use of quantitative risk analysis by using what they use in the banking world - VAR modelling. Im not an expert in this area of risk but in a nutshell you build a mathematical model or by using VAR and plug the numbers in based on your assumptions. As the numbers are assumptions I suppose they could be disputed but the modelling elements comes from VAR and is part of the Open Fair method. Just like in the market risk function of an investment bank, they use VAR to predict the rise and fall of stock/equity etc based on market environment factors. They apply this to the cyber world.

UnixGuy

JDMurray said:

How is quantitative versus qualitative data created and used? For example, can you actually quantify the annual likelihood of a (as of yet undiscovered) zero-day exploit successfully impacting an Internet-exposed system? We've all seen the ALE/SLE/ARO math on cert exams, but where do the real numbers come from to plug into those calculations?

It's tricky, but instead of quantifying the likelihood of zero day exploit happening, you can quantify the maximum tolerable outage of such system.

Or, a qualititative approach would be a windows server have a high likelihood of having zero day exploit, which you can reduce by having it behind layers of security tools, with active monitoring, patching, etc.

You can quantify most things but there is a qualitative aspect as well

E Double U

@UnixGuy and @scasc

I work for a financial institution that has 3 lines of defense: 1st line owns/manages risk directly, 2nd line oversees 1st line (setting policies, defining risk tolerance, etc), and 3rd line is internal audit working independently of the other 2 lines of defense. My role will be in the 2nd line of defense. My role is to ensure we are in control of operational risks with a focus on information security. So the business will reach out to the team for our risk management knowledge and the end product is advice. The job description is vague, but it appears to be a big stakeholder management job. Besides execs, we will consult with legal, compliance, and more via risk assessments plus increasing risk awareness. I have been in a security consultancy role since February for the same company and I already do some risk manager activities, but now I will focus on that. This is a non-financial risk role. 

What helped with your transition into risk magement? Any books or podcasts you found extremely useful? What do you see risk management as a step towards in the future for your careers? 

Maybe I should get started on CRISC

UnixGuy

@E Double U:

So your role is strictly Line 2! That's an interesting role. I'd say relationships with business unit is essential, relationships is a big big part of your role. They need to trust you and you need to trust them.

You will be reviewing their controls libraries, testing the effectiveness of their controls, and possibly setting standards.

CRISC is applicable here. I don't think I learned anything from ISACA but I believe the material is applicable. My learning was from working at a Big 4 and also just googling and reading online. You learn more on the job. I know SANS has a risk cert as well that @scasc has

There are so many publications by Big4s about how risk management should happen so just try and read. Get very familiar with frameworks and dont be afraid to ask for SMEs help

scasc

Common governance structure within FS. Fortunate enough to have worked across all 3 lines of defence. As its a 2nd line role, the work will revolve around interacting with 1st line and obtaining assurance that risk has been identified or will be identified based on the projects undertaken. The thing with risk is that every place has its own methodology. I think that CRISC is interesting because it covers this but I also believe something like ISO 270005 is pretty good because it helps to provide a framework and methodology in conducting a risk assessment. Usually firms align to ISO 27005 or IRAM in Europe. 

Pretty much doing a risk assessment of the scope and bringing out risk items - threat actors exploiting vulnerabilities which lead to risks. You could be also working with 3rd line so they check the output and thoroughness of the work undertaken.....Sigh....those IA folks . 

The Risk lead will probably be setting the tone around risk management framework - so a common set of practices are followed and aligned to this framework (e.g. ISO 27005/31000). 

E Double U

I appreciate all of the feedback. I will keep you guys up to date on my journey. 

scasc

Best of luck, keep us posted. 

E Double U

3+ months into the role and so far so good. Lots of meetings which are not all interesting and I even provided feedback that some of the work is boring. I have an IT background so I am fine when discussing information risk, but my department is also responsible for operational risk and some of the discussions just flat out don't capture my attention. Work includes change risk assessments, forming quarterly 2LoD opinions on risk reports, regular tactical and governance sessions, etc. 

Started studying for CRISC as well.

scasc

You will find that the work is varied but this can mean there are interesting and pretty dull parts to it. Only advise I can give is that if you are deemed an SME on the technical side of cyber; and this is your USP, then whenever such projects come they would go to you - risk is a pretty diverse function but you will find that most of the folks in that space are not really techie - mainly GRC/audit type of background. Try using your background to differentiate. Then build relationships with the 1st line as well. 

CRISC should not be an issue, I passed myself within 3-4 weeks of reviewing the Q&A's. I think everyone I know who has passed has done this. 

E Double U

scasc said:

You will find that the work is varied but this can mean there are interesting and pretty dull parts to it. Only advise I can give is that if you are deemed an SME on the technical side of cyber; and this is your USP, then whenever such projects come they would go to you - risk is a pretty diverse function but you will find that most of the folks in that space are not really techie - mainly GRC/audit type of background. Try using your background to differentiate. Then build relationships with the 1st line as well. 

CRISC should not be an issue, I passed myself within 3-4 weeks of reviewing the Q&A's. I think everyone I know who has passed has done this. 

Definitely not many techies within the dept which is what mgmt wants to change as my employer is really focused on digitalization. I was hired to bring that balance. Luckily I have already been with my employer for five years within the 1LoD so many relationships already established. I was actually assigned the business line that I left to join risk mgmt lol.

I breezed through the ISACA manual rather quickly. Now I am just practicing within the QAE database until my finance dept pays for my exam. Plenty of downtime at work during the holiday period so making proper use of the freedom. 

scasc

A match made in heaven with 1st line . Half the battle won when you have established relationships. Best of luck with CRISC, I am sure it will go pretty swiftly. Could you do the exam and reimburse the cost to your employer to pay this off? 

Technical risk assessments is an awesome function to be involved with, especially when you get to do real proper assessments around cyber topics (SOC/DLP/CASB/Cloud Security/Networks/Web Apps). It just gets pretty mind numbing with the non tech elements. I guess this is why its so popular with workers who want to get into Cyber who have been doing general IT auditing or even Internal/Financial Auditing. 

E Double U

Becoming a trusted risk advisor within 2LoD parties (compliance, legal, etc) is a bigger goal for me than winning over the 1LoD since I already have them on my side lol. 

My employer gives every employee a personal development budget of 1000 euros annually and I had a lot of money to burn so going that route. If I pay myself and submit an expense claim they will not deduct it from that pool so I would still be sitting on a load of cash that will just expire because it is use it or lose it. I am not in a rush to take the exam so no need for me to use my own funds up front. 

Most of my technical discussions at the moment are somehow cloud related. Good times!

scasc

Fantastic news. Sounds like you are nicely settled and have a great plan. 

E Double U

After a few more months in I must admit, a lot of risk management work is quite boring. It could just be my organization, but I just find myself bored out of my mind in a lot of meetings. I hope I can change my mind about this or I will be making another switch soon and I haven't been here that long lol.

scasc

lolzzz - the problem with techie folks doing 2nd line or even 3rd line work is that the work can be just mind numbing boring at times. Its everywhere trust me. 2nd line is framework/policy based work. You may find your world is still 1st line where all the action is. Unless you can maybe specialise in Cyber Risk or Cloud Risk (which I think you do anyway) and try put a stance to it where you are accountable for the outcomes this is the best it gets....

scasc

Just also remembered, you may also move to 1st line but still do risk type work where you essentially are doing risk assessments for projects and having more interesting discussions. You may find this is also another good route. Its something I have done.

E Double U

I figured that was the issue. I was hands-on/knee-deep in tech for over 15 years and moved into consultancy over a year ago. Though I had no access to any CLIs/GUIs I still had many technical discussions at a higher level. Within the risk mgmt dept here I get to touch on the topics sometimes, but still have to sit through discussions that also have to deal with other 2nd line of defense parties (legal, compliance, etc) and it just isn't for me. I will try to adjust my attitude and hang in there.

scasc

Eventually you will probably call it a day owing to the mind numbing other tasks you are involved with. Stick it out and try moving to a first line security risk/consulting type role where you dont have to be involved in the other noise. Its the reason I left tbh.

UnixGuy

I have a friend who does risk management work for a bank remotely, he has so much free time he is running a construction business on the side

Make of this what you will...

E Double U

@scasc - There are a lot of changes happening internally at the moment so I will see what comes of that.

@UnixGuy - I have definitely made proper use of the time. Used a lot of time to knock out the CRISC and beginning a language course soon. I have also been doing volunteer work, exercising, meditating, and enjoying family time during the down periods so I have the time management piece covered. It is just when I do work I am not always into it. Never had this before. Not sure if it is age (41), re-evaluating things after covid, or if this really isn't for me. We shall see. 

scasc

@UnixGuy - How are you mate? That is interesting - lots of free time lol. Am really surprised. What role is he doing and is he managing or consulting?

@E Double U -

That is a brilliant way to manage your time - well done. Wish you the best with this. I feel for you as I have been in the same boat. In my case I moved to 1st line - though I am a contractor. In time you will know what is the best path to take. Another observation I have made is that the tech industry would be interesting to do this type of work in - because they literally breath code day in day out (e.g. FAANG). Google had a security risk/audit role going where you needed to code in Python to extract and undertake data analysis for risk - don't normally get this in traditional industries. 

scasc

Here is one for you guys - I have a credit note I need to use with a training provider, don't need another cert but have to do one to use the credit note. Whittled it between CGEIT or ISO 27005 risk assessment. Former has a better name but mainly governance focussed which is not what I do latter has a more risk aligned syllabus and is cheaper so favouring this. Any thoughts? 

E Double U

scasc said:

. Whittled it between CGEIT or ISO 27005 risk assessment. 

ISACA for the win!