More about a career in Cyber Security Governance & Risk Management
There is a wide variety of possible roles, depending on the mix of governance and risk management responsibilities and the level of responsibility.
In an entry level role in GRC (Governance, Risk & Compliance), you undertake a broad mixture of duties focused on the practicalities of managing risks: you draft policies, carry out risk assessments, and verify compliance with the agreed policies. You do this under the supervision of a senior manager which, in a small organisation, may be the Chief Information Security Officer (CISO).
In a GRC role with more responsibility for ensuring compliance and establishing and validating governance systems, you probably have at least three years of cyber security experience, and the confidence to manage the responsibility.
For those focused on risk management, there may be two cycles of work: the periodic carrying-out of large-scale assessments/reassessments of cyber security risks to the whole organisation or to particular systems; and frequent updates to specific risk assessments as the nature and scale of threats and vulnerabilities change.
When you identify potential risks, you need to understand the organisation’s assets and their value, so you need to have regular conversations with general managers and other relevant stakeholders across the organisation. You know how the organisation’s data is stored and how it flows between systems. Likewise, when you assess the likelihood and impact of a risk affecting a system or a set of information you work closely with colleagues with other types of cyber security responsibilities, particularly in Vulnerability Management and Cyber Threat Intelligence.
Much of the work requires you to work very methodically on interpreting and applying standards and legislation, whether you're working on policies or monitoring compliance or using standard tools and techniques to assess risks. You write a fair amount, such as when maintaining a risk register or drafting policies.
If your responsibilities extend beyond identifying and assessing risks to determining the most appropriate approaches to managing them, you will be creative in using your understanding of the organisation’s business and values, the scale of the risks and the effectiveness of the available risk control options.
Overall, work in this specialism is about protecting the security of an organisation’s information systems and data, by setting policies, monitoring compliance and following defined procedures to identify, assess and manage risks from external and internal threats, all guided by the organisation’s view of risk.
As a practitioner, you might:
- draft cyber security policies and procedures, taking account of an organisation’s legal, regulatory and operational requirements
- monitor compliance with policies
- identify cyber security risks, posed by the combination of vulnerabilities and threats, to the security of an organisation’s information systems and data
- assess the impact and likelihood of identified cyber security risks
- depending on the level of responsibility and the severity of specific risks, propose measures - including avoidance, mitigation, sharing and acceptance - to manage risks
- create and maintain a risk register or include the cyber security risks in the organisation’s overall risk register
As a senior practitioner, you might:
- identify the requirement for policies and procedures and monitor their production and updating
- approve policies and procedures
- oversee the monitoring of compliance with agreed policies and procedures and report on this to senior management
- set up and maintain the arrangements for managing cyber security risk, including agreeing organisational structures and formalising lines of authority
- engage with heads of business departments to demonstrate the cyber risks which the organisation faces through existing processes and to recommend changes to them
- assess and report on the effectiveness of risk management standards and policies
- contribute to an organisation’s high-level risk strategy and the definition of its risk appetite
- manage governance and risk management practitioners
Many smaller organisations include cyber security governance and risk management in a general business risk management team. Those which maintain a separate cyber security risk management function may have two levels of responsibility.
- will tend to focus on risk identification and assessment and, in some cases, drafting policies, taking account of legal and regulatory requirements, and monitoring compliance with these policies
- may also be involved in monitoring the effectiveness of the risk management controls which are applied
A senior practitioner:
- will have responsibility for overseeing the risk management process and contributing to the resolution of complex issues assessment
- may also oversee the work of junior colleagues, particularly in the production and approval of policies
- will work with risk owners, general business managers or colleagues in other departments such as IT, to manage policies and risks in the context of the organisation’s high-level objectives and values.
Someone working in this specialism may be:
- in a dedicated cyber security risk management team
- in a broad role covering governance, risk management and compliance
- in a general business risk management team; or, in a small organisation, the only person responsible for cyber security governance and risk management
- taking account of multiple complex factors to arrive at logical, repeatable conclusions
- verbal and written communication, especially in producing formal documents which are comprehensive and without ambiguities
- presenting logical, objective reasons for all decisions made
- encouraging and supporting colleagues, including those in other departments, to achieve shared objectives
- working effectively within organisational policies, procedures, and security and legal constraints
- being sensitive and constructive when challenging other people’s ideas or decisions
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- using statistical, mathematical or financial techniques to assess the likelihood (taking account of vulnerabilities and threats) and impact of cyber-attack techniques and deliberate or unintentional damaging actions by people within the organisation
- applying risk management methodologies, such as those in ISO 27001, and sector-specific requirements, such as PCI-DSS
- interpreting legal and regulatory requirements and integrating them with an organisation’s operational requirements
- assessing the compliance of procedures and practice with agreed standards
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
A1 – Governance
- directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements
A2 – Policy and Standards
- directs, develops or maintains organisational Cyber and Information Security policies, standards and processes using recognised standards (e.g. the ISO/ IEC 27000 family, the Security Policy Framework) where appropriate
- applies recognised Cyber and Information Security standards and policies within an organisation, programme, project or operation
A6 – Legal and Regulatory Environment and Compliance
- understands the legal and regulatory environment within which the business operates. Ensures that Information Security Governance arrangements are appropriate
- ensures that the organisation complies with legal and regulatory requirements
B2 – Risk Assessment
- identifies and assesses information assets
- uses this information and relevant threat assessments, business impacts, business benefits and costs to conduct risk assessments and identify and assess potential vulnerabilities
B3 – Information Risk Management
- develops Cyber and Information Security risk management strategies and controls, taking into account business needs and risk assessments, and balancing technical, physical, procedural and personnel controls
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role in which you have developed the abilities to assess complex sets of factors, methodically generate logical conclusions and document these very clearly, could provide a good foundation, with some additional specialist training, for a role in this specialism.
Examples of such careers and roles include:
- roles in the emergency services, especially fire and police services, which require substantial risk management
- operational and staff roles in the Armed Forces
- business risk management
- business operations
- IT system management
- business continuity
- financial or internal audit
- specialist commercial insurance assessment
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Cyber Security Governance &need Risk Management role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to have a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may have a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
If there are cyber-physical systems, such as industrial control systems (ICSs) within the scope of the role, the practitioner may also need:
Security challenges in cyber-physical systems, such as the Internet of Things and Industrial Control Systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Someone might start in this specialism as an apprentice.
Alternatively, you may start as a graduate, with a degree in:
- cyber security or information security
- business/management/accounting and computing
- management studies
Or, you might move into a role in this specialism from another business or IT role, or from a position in another cyber security specialism:
From this specialism you might, with appropriate technical training, move into a role in:
Or, you might progress into a more senior role in Governance & Risk Management. In a small organisation you might become the head of cyber security, or possibly a Chief Information Security Officer (CISO) role.
For practitioner roles, job titles include:
- Technology Risk & Controls Analyst
- Cyber Risk & Compliance Manager
- Cyber Risk Analyst
- Cyber Risk Consultant
- GRC Risk Management Senior Associate
- Information Security Risk Analyst
- IT Risk and Compliance Manager
- IT Security and Risk Manager
- Information Security Consultant (although these may also be used for generalist roles)
- Information Security Manager (although these may also be used for generalist roles)
- GRC officer
- Technology Risk Oversight Officer
For senior practitioner roles, titles include:
- Senior Governance, Risk and Compliance (GRC) Analyst
- Governance, Risk and Compliance Manager
- Head of Cyber Risk and Assurance
A cyber security governance and risk management practitioner might earn between £20,000 and £65,000 a year. The median figure in February 2021 was £52,500.
A senior practitioner might earn between £60,000 and £100,000. The median figure in February 2021 was £65,000.
These ranges are calculated from a survey of job vacancy advertisements published online in December 2020. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. Both of these sources had small sample sets in the period in which the figures were generated.