Cyber Security Governance & Risk Management is the monitoring of compliance with agreed cyber security policies and the assessment and management of relevant risks.
Cyber Security Governance and Risk Management is the monitoring of compliance with agreed cyber security policies and the assessment and management of relevant risks.
In an entry level role, there is a broad mixture of duties focused on the practicalities of managing risk:
Roles with more responsibility ensure compliance and establish and validate governance systems, which will require at least three years of cyber security experience, and the confidence to manage the responsibility.
For those focused on risk management, there may be two cycles of work:
When potential risks are identified, there needs to be an understanding of the organisation’s assets and their value, so regular conversations with general managers and other relevant stakeholders across the organisation is key. Knowledge on how the organisation’s data is stored and how it flows between systems is also important. Likewise, when assessing the likelihood and impact of a risk affecting a system or set of information, this involves working closely with other types of cyber security teams, particularly Vulnerability Management and Cyber Threat Intelligence.
Whether working on policies, monitoring compliance, or using standard tools and techniques to assess risk, much of this work requires a methodical approach on interpreting and applying standards and legislation. Documenting these risks is important, whether it is maintained on a risk register or drafting policies.
If responsibilities extend beyond identifying and assessing risks to determine the most appropriate approaches to managing them, there needs to be some creativity in using the understanding of the organisation’s business and values, the scale of the risks and the effectiveness of the available risk control options.
Cyber Security Governance and Risk Management protects the security of an organisation’s information systems and data by setting policies, monitoring compliance and following defined procedures to identify, assess and manage risks from external and internal threats.
In detail, you might:
With more experience, you might also:
For Cyber Security Governance and Risk Management roles, titles include:
For more experienced Cyber Security Governance and Risk Management roles, titles include:
A Cyber Security Governance and Risk Management role could earn between £20,000 and £65,000 a year. The median figure in February 2021 was £52,500.
A senior Cyber Security Governance and Risk Management role could earn between £60,000 and £100,000. The median figure in February 2021 was £65,000.
These ranges are calculated from a survey of job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. Both of these sources had small sample sets in the period in which the figures were generated.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Cyber Security Governance & Risk Management
Core knowledge – you will need a very good understanding of these areas
Related knowledge – you will need a solid understanding of these areas
Wider knowledge – these areas will help to provide context for your work
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
A1 – Governance
A2 – Policy and Standards
A6 – Legal and Regulatory Environment and Compliance
B2 – Risk Assessment
B3 – Information Risk Management
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role that develops the abilities to assess complex sets of factors, methodically generate logical conclusions and document these very clearly, could provide a good foundation, with some additional specialist training, for a role in this specialism.
Examples of such careers and roles include:
From this specialism you might, with appropriate technical training, move into a role in:
Or, you might progress into a more senior role in Governance & Risk Management. In a small organisation you might become the head of cyber security, or possibly a Chief Information Security Officer (CISO) role.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below:
If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Cyber Security Governance & Risk Management can be found here