I have been performing cyber security risk management using the National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) over the past six years for large organizations. The process of analyzing information system risk has become very mature. The International Solutions Organization (IEC/ISO) also has their own process for managing information systems risk in the ISO 27000 series of publications. However, I find these to be more difficult to work with due to the fact that organizations must pay to access these publications. As such, the NIST RMF has become a more popular and readily accessible framework I have worked with in my information security career.
Some of the challenges I found throughout my career when attempting to address information system risk is that organizations have traditionally viewed cybersecurity as an Information Technology problem. I have since learned that it is my professional duty to ensure that this view does not affect my organization and that I bring the RISK aspect of information security risk management to the attention of business and system owners. Sometimes this isn't easy, and an approach to this, such as the RMF, helps to back me up as I attempt to demonstrate that information system risk management is also part of the organization risk management strategy and senior managers and cyber security professionals owe an ethical duty to ensure that they identify and minimize risk to acceptable levels wherever possible.
Formally reviewing the NIST RMF in a classroom setting allowed me to broaden my resource portfolio as I was exposed to additional documentation which will assist me in my pursuit of minimizing information system security risks to my organization. This field is constantly changing and will continue to require a cyclic approach to risk management and a career-long pursuit identifying new risks, remaining familiar with threats through a threat intelligence approach, learning new information, and contributing to the cyber security community. This is a wonderful time to be a part of the cyber security community, and I owe it to those before me to continue participating in it.
Some of the challenges I found throughout my career when attempting to address information system risk is that organizations have traditionally viewed cybersecurity as an Information Technology problem. I have since learned that it is my professional duty to ensure that this view does not affect my organization and that I bring the RISK aspect of information security risk management to the attention of business and system owners. Sometimes this isn't easy, and an approach to this, such as the RMF, helps to back me up as I attempt to demonstrate that information system risk management is also part of the organization risk management strategy and senior managers and cyber security professionals owe an ethical duty to ensure that they identify and minimize risk to acceptable levels wherever possible.
Formally reviewing the NIST RMF in a classroom setting allowed me to broaden my resource portfolio as I was exposed to additional documentation which will assist me in my pursuit of minimizing information system security risks to my organization. This field is constantly changing and will continue to require a cyclic approach to risk management and a career-long pursuit identifying new risks, remaining familiar with threats through a threat intelligence approach, learning new information, and contributing to the cyber security community. This is a wonderful time to be a part of the cyber security community, and I owe it to those before me to continue participating in it.