Risk Management - Cybersecurity
By Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

This slide provides an overview of risk management within a cybersecurity program. Please reference the supporting narrative below.

Scroll to the right to view the whole image.


Cybersecurity findings are like a fire that you stoke, strive to control and can never extinguish.

We identify risk through assessments, scans, penetration tests and exercises. We detect suspicious activity via security monitoring software and the Security Operations Center. We analyze cyber threat intelligence and conduct threat hunting, actively searching for adversaries in the IT environment.

We mitigate risk through business continuity, disaster recovery and incident response. We stack-rank security findings with high risk at the top. We remediate in order of risk priority (mitigate risk top-down). We establish controls to address emerging threats and new technologies.

We provide risk transparency through risk register entries. 'Risk mitigate' is assigned to higher risk issues that take extended time to remediate. 'Risk accept' entries are generally lower risk and may also be high cost (accept risk bottom-up). We decision and approve risk register entries in an executive risk governance forum. We include register entries within cybersecurity committee presentations to provide risk transparency to the board of directors.

For some this may be aspirational, which is OK. “Plan the work, work the plan”. Here if you need me.

Click here to download the slide image (full-sized)

Click here for more professional development tips