Risk Management - Cybersecurity
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
This slide provides an overview of risk management within a cybersecurity program. Please
reference the supporting narrative below.
Scroll to the right to view the whole image.
Cybersecurity findings are like a fire that you stoke, strive to control and can never extinguish.
We identify risk through assessments, scans, penetration tests and
exercises. We detect suspicious activity via security monitoring software and the Security
Operations Center. We analyze cyber threat intelligence and conduct threat hunting, actively
searching for adversaries in the IT environment.
We mitigate risk through business continuity, disaster recovery and incident response. We stack-rank
security findings with high risk at the top. We remediate in order of risk priority (mitigate risk
top-down). We establish controls to address emerging threats and new technologies.
We provide risk transparency through risk register entries. 'Risk mitigate' is assigned to
higher risk issues that take extended time to remediate. 'Risk accept' entries are generally
lower risk and may also be high cost (accept risk bottom-up). We decision and approve risk
register entries in an executive risk governance forum. We include register entries within
cybersecurity committee presentations to provide risk transparency to the board of directors.
For some this may be aspirational, which is OK. “Plan the work, work the plan”. Here if you