Any risk managers here?

Hey guys,

I have received an offer from our info risk mgmt team and want to know how others experience this field. As a security practioner of course I am not new to risk response (acceptance, mitigation, etc), but it has not been my primary focus. I would really like to hear from someone that does this full time to know what it is like in the day of.

I would likely begin the role in September so if there is any recommended reading or videos to watch then please feel free to drop your suggestions here.

Background: networking, incident response, consultancy

Find more posts tagged with

risk and compliance business

risk analysis

risk management

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

UnixGuy

scasc said:

@UnixGuy - How are you mate? That is interesting - lots of free time lol. Am really surprised. What role is he doing and is he managing or consulting?

not too bad buddy!

he is a senior manager, for one of the biggest banks here, does a Line 2 risk management role.

His colleagues are constantly screaming "Busy busy" but he says otherwise

UnixGuy

E Double U said:

@UnixGuy - I have definitely made proper use of the time. Used a lot of time to knock out the CRISC and beginning a language course soon. I have also been doing volunteer work, exercising, meditating, and enjoying family time during the down periods so I have the time management piece covered. It is just when I do work I am not always into it. Never had this before. Not sure if it is age (41), re-evaluating things after covid, or if this really isn't for me. We shall see.

It's not just you, this is the nature of the role and it suits a lot of people and they seem to do other stuff in the down time. Other people seem to take longer to complete the same tasks that takes you shorter period of time so it varies. Your experience is similar to mine.

scasc

Thanks for the feedback - I checked out CGEIT, was simply too boring to digest. Went with the other one

E Double U

@scasc - Maybe boring, but likely an easy accomplishment looking at your signature.

scasc

Appreciate that - but just don't have it in me to do. Only really looking at things to do which captivate my interest.

E Double U

I am mentally checking out. Risk management is not for me. This is too boring.

scasc

What options do you have? Can you find another internal role back in 1st line?

E Double U

I have an upcoming discussion for an internal architect role which is a payscale above my current role. I have also been referred by people in my network for two roles at other companies and another company I applied with months ago for fun has reached out to me for an initial interview. So let's see what the future holds, but if I get my way it will not be risk mgmt.

scasc

A transition into an architect role would be pretty neat. I have done something similar myself. Better fit.

E Double U

@scasc - How was the transition for you? How long did you stay in risk mgmt before making the jump?

scasc

The transition was pretty smooth as I was working very closely with architects initially to ensure appropriate security measures were in place. Now rather than checking those measures are in place I pro actively make sure they are deployed from the start. So I still do technical risk assessments - but my work now is to also infuse security requirements, undertake threat modelling to mitigate threat actor behaviour etc. It is a much better world for me. I was working in risk for a number for years before making the transition. Bearing in mind I started in risk and developed my security tech advisory skill set. It took me time to find which is the better career path for me - my work is not hands on, I like delving deeper into tech discussions and I like to still ascertain where security risk lies - just not from a typical compliance/checkbox perspective but more from a tech standpoint.

JDMurray

What about the human security risk? Who does those assessments and control recommendations?

scasc

Do you mean testing controls in respect to awareness, training, phishing, policy violations through human action etc? If so, good question as its often a neglected area - depending on the org of course. I have found depending on the scope of work defined and budgeted based on key priorities it's either in place or not and then allocated to the most appropriate person.

JDMurray

I see the word "technical" used a lot in relation to risk management and security controls. When you look at the total threats to a large org, social engineering, theft, and fraud from a variety of attack vectors (e.g., telephone, email, in-person, etc.) is usually the largest percentage of successful attacks. These are best mitigated using human controls rather than technical controls, so I was wondering your take on this.

scasc

Fully agreed. Usually cyber risk departments operating as a second line of defence's role is to work with 1st line to validate the controls deployed in projects or areas which have been neglected previously. At the start of the year when the scope is defined the projects with most material impact are assessed. Sometimes these avenues are checked the human side but not as much as they should be if truth be told (however it does depend on each org). Myself, I have only worked on this briefly once when the security team were using Wombat to tackle social engineering of workers and to what degree they were clicking on suspicious emails followed up with training etc. But it was a small piece of work. It is a good point that not enough attention is paid to this side of security where human controls work best.

E Double U

Last month in risk mgmt w/ my current employer. Will keep you guys posted on my next adventure as it unfolds.

scasc

Hi - Just seen this. Where did you end up?

E Double U

@scasc

Joining AWS next week. Leadership role in Security Assurance which is their hybrid between 2nd and 3LoD.

scasc

Excellent - many congratulations. I know the setup and team well. I’ve been tempted to apply myself for couple roles at Amazon. But I’m keen to leverage my skillset around doing technical audits/risk assessments- based on OS, networks, apps, maybe cloud etc.