What does an information risk analyst do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I’ll be speaking with InfoSec skills author, Chris Stevens about the role of information risk analyst. Without further ado, let’s get into it. Welcome, Chris.

[00:00:23] Chris Stevens: Hey, I’m glad to be here.

[00:00:25] CSIENKO: Glad to have you. Chris, let’s start with the basics. What does an information risk analyst do? What are the day-to-day tasks of that of that career path?

[00:00:33] CSTEVENS: Well, it depends on the organization. I’ve done risk management in the military. I was an intelligence professional in the intelligence community, more recently, as a risk manager, assisting with information security, and also as well as privacy risk management. You’re there, they help the organization understand risk on all levels, to identify that risk, to analyze that risk, to help business owners, system owners, mission owners themselves, understand that risk so they can make informed decisions on whether they accept that risk, avoid it, transfer it or mitigate the risk.

[00:01:15] CSIENKO: Can you give me some examples of what types of risks we’re talking about here?

[00:01:20] CSTEVENS: I’m primarily talking about information risk, all types of risk, financial risk. Everything we do in life has some type of inherent risks before you mitigate that risk. I’m primarily talking about protecting data.

[00:01:35] CSIENKO: Got you, okay.

[00:01:35] CSTEVENS: When we talk about protecting data, data has value to the person to whom it pertains. It has value to those organizations and trusted the process lawfully and legally. Unfortunately, it has attraction to those entities that want to use it probably for unauthorized purposes. You need the risk manager to look at your organization’s activities themselves to see where you have that inherent risk, measure that risk, so you can reduce that risk. You’re not impacting an organization’s profitability and survivability.

[00:02:08] CSIENKO: Okay. How does one become an information risk analyst? Is this an entry level position or do you need to start at more of a foundational level and work your way up towards this type of position?

[00:02:18] CSTEVENS: I think there are many paths to get to your goal. I teach a course for Drexel University. It’s School of Computing and Informatics, which is an IT security risk management program. You can do it academically. You can do self-study, like I’ve done. Get a foundational understanding of those risk management processes out there. InfoSec has a great set of learning paths, and courses that individuals can take very cost effectively. You use IC3 certification. I’m certified authorized professional that helps individuals that have to comply with NIST Risk Management Framework, understand how to work through the A&A process. You’ve got a great Information Security Management Program, courses in risk management. You also do a great job in helping organizations or individuals understand how to support the government where I spent many years, decades.

At the end of the day, it depends on the individual. I can tell you, my road wasn’t a straight path. I was required to do risk assessments in the military. My first job out of the military, I was hired by the Transportation Security Administration to do risk assessments. After I left and retired from the military and the government, there were still a need for not only entry level risk managers, but also others that had studied information security, cybersecurity and some of the other disciplines out there that also include risk management activities.

[00:04:00] CSIENKO: Right. Now, we’ve mentioned the sort of the degree route of learning risk analyst and of course, the certifications. Is this a type of position where either a degree or certification is required on your resume for an employer to see that you have done the work or is this more, you’re doing the work and then you sort of study the thing to make sure that you’ve truly mastered it?

[00:04:27] CSTEVENS: I think it’s the former, because again, with the stakes that are tied to risk management, organizations that want to hire you want to know not only do you have the experience, but do you have the knowledge. There are recognized certifications out there. I myself, am certified by ISACA, and is certified in risk and information systems control. A great certification to have, why I really respect it. Again, you’ve created learning paths and courses to help people get there. PMI has a great risk management program. If you’re an insurance or financial company, there are financial certifications, like the Certified Risk Manager. FAIR, the FAIR Institute. I’m not sure if you’re familiar with that. Factor Analysis of Information Risk has a great certification. Three tiers that you can take.

I encourage others not only to follow the academic approach. I can tell you, Chris, I have multiple degrees, and that one person that has hired me because of those degrees in risk management, they’ve hired me because of the certifications. And then also, the knowledge, skills and abilities that I’ve developed over time.

[00:05:41] CSIENKO: Got it. Now, what skills does an information risk analyst need to do their job well? This could either be technical skills or soft skills? What kind of person does well in this type of role?

[00:05:54] CSTEVENS: Someone that’s collected that has blended skills. Risk manager has to talk to different audiences and sometimes, you have to convey bad news. You have to translate that technical speak into business jargon. Many business owners, senior executives, senior managers won’t understand the technical jargon associated with risk. You’ll get that deer standing in a headlight, that glazed look. You have to translate that into business term. When you’re asking me to invest dollars, finite resources to address and mitigate this risk, why should I listen to you, and divert those scarce resources to address those issues when I have other demanding issues?

You have to be able to convey that, you have to understand the mission and business of the organization. You have to understand the strategic and operational goals and objectives. You have to have the ability to talk up and also talk horizontally. Because remember, as a risk manager, you don’t own anything. It’s the business owner, the mission owner, the system owner that owns the information systems, that process that data, that store that data. You’re there to help them be successful. To do that is, you have to convey that message in terms they understand. Lots of times equated in dollars and cents.

You asked a great question about certifications, about academic knowledge. One of the things you want to do is have a foundational understanding of risk. Even before you start your journey, when you start investing dollars and cents, and obtaining the skills, there are resources that are available like ISO ISC’s 31000, risk management that gives you from a global standpoint. You can go to NIST, look at NIST Risk Management Framework, NIST Special Publication 800-37 Revision 2, and start building that foundational knowledge.

I’ll tell you another thing they can do and this isn’t a plug for InfoSec, just because of speaking for InfoSec. You have great bootcamps. You can distill the certifications and I know that from taking your CISM. I’m a CISM as well.

[00:08:09] CSIENKO: Oh, wow.

[00:08:09] CSTEVENS: I took your CISM bootcamp, five days with a phenomenal extra instructor that really broke the examination down in layman’s terms, helped you understand the nuances of the exam that CISM has a high fail rate first time. I pass it the first time because I kicked your five-day bootcamp. I studied for a month. You provided me with outstanding resources. When I tested a month later, I did quite well and that’s because I took your bootcamp.

[00:08:38] CSIENKO: Wow. Love it. Love to hear that.

[00:08:41] CSTEVENS: Well, it’s not a plug for you. It’s just the truth.

[00:08:44] CSIENKO: No. Yeah.

[00:08:45] CSTEVENS: For me, I love what I do. Risk touch touches everything. You can start as an entry level. There are people who have started as entry level of risk managers, that are now working as Chief Risk officers. Of course, they have the education, they have the certification behind it and the experience, but that’s how important risk management is to organizations. Either they get it or they don’t. Either they mitigate, assess, identify, assess and mitigate risk, or they find themselves on the other side of that divide. Lots of these companies have gone out of business because they don’t have effective enterprise risk management programs.

[00:09:24] CSIENKO: Moving on, some of our other career paths that we’ve talked about are very tool intensive. I’m not sure. Are there some common tools that information risk analysts use and can you talk about this at all?

[00:09:36] CSTEVENS: Well, neither has risk have. Again, there are some tools out there. Again, the tool is only as good as the person that’s using it. That’s the reason why I made the statement that, before you start using any of these tools, you have a good understanding of risk techniques that underpin those tools. Like I mentioned FAIR. FAIR has a process for doing quantitative analysis. You might find yourself having to do a qualitative analysis using things like a Delphi method and others.

A great resource that I use before I started my risk management process was, again, I went to IC, the International Electro Technical Community has a complement to ISO 31000, 31010, that lays out those qualitative and quantitative risk analysis over 30. It just blows the mind how many ways you can look and analyze risk. Then with that basic understanding, you can apply any tool. Now again, the tool is only as useful as is accepted by that organization as well.

[00:10:51] CSIENKO: For sure. We’re doing information risk analysts work? What types of job options are available? Is this an enterprise situation? Do you work as a consultant? I’m assuming there are federal, probably a lot of federal and military jobs as well.

[00:11:04] CSTEVENS: There are. You can work in the public sector or private sector. Of course, when you talk about risk in the military, when we are talking about [inaudible 00:11:12] information risk, DoD has and you have a great bootcamp, going back to your boot camp, your DoD risk management framework that helps organizations understand how NIST has applied to DoD operations. It also uses ISO 31000 and some of the other processes out there. As a risk manager, you can find yourself working anywhere.

When I left the military, I was an intelligence officer, got recruited by TSA as a risk manager. One of the most fascinating jobs I had. Not only was I there to protect information, I was also there to assess risk to critical infrastructure and key resources. Every aspect of an organization, I’ve had some role in risk. As a senior intelligence executive, I can assess risk. You can find yourself working as a risk manager, especially in industries like finance, like insurance. It depends on the path of the individual. I like to lay out my career plan, looking at it in three-to-five-year steps. Where am I at today? Where do I want to be in three to five years and how I get there? If you want to be a risk manager, first it starts off with, you’re going to have to have some experience, you’re going to have to have the certs under your belt. To get the service, that means you’re going to have to work in some of these capacities, like if you want to see risk. The CISM has a risk management component.

For me, you can apply in government itself, you can go to USA Jobs. There are risk manager jobs out there, believe it or not. Go to indeed.com, linkedin.com, set up job alerts for risk. You’ll find that you’ll have untold opportunities.

[00:13:04] CSIENKO: Yeah, absolutely. Moving on from that, you mentioned your three-to-five-year plan going forward. But moving beyond risk analyst and you talked privacy before as well. What are some other job roles that you can move into from information risk analysts, whether that’s an upward or a lateral move? What are the skills that you get with working in information risk? What are some of the pivots that are especially intuitive to that?

[00:13:30] CSTEVENS: Oh, they’re innumerable. You can do project management. That’s why PMI has its risk management program. You can work in cybersecurity. There’s a lot of alignment between risk management, and the NIST CSF. You can find yourself if you’re looking at systems engineering, privacy engineering, looking at from standpoint of how do we translate requirements, external requirements, like laws, rules and regulations into technical controls, administrative controls. Risk plays a big role in that.

You can find yourself pivoting to – like I did, the privacy, which has a big information management component. It’s one of their more growing fields out there when you look at privacy risk management. You can use organizations understanding, like I said, How do you adopt concepts like security by design, security by default. privacy by design, privacy by default? Because at the end of the day, from the time you conceptually design a process, you have to assess risk, and you have to assess risk to define yourself in manufacturing. There are a number of industries where risk management has played an important part.

[00:14:55] CSIENKO: Yeah, I love that. It’s almost kind of like an umbrella set of theories that apply to so many other areas of the field.

[00:15:03] CSTEVENS: That’s right. If you look at well accepted certifications like the CISSP, or the CISA, or you look at – I’ll use the CISM. CISM has a risk management component. Why is that? Not only are you there to manage from an information security management perspective, but to do so, you have to understand risk management. You have to be able to identify it and you have to be passionate.

I was mentoring a young man, and he was starting at the entry level, building his credentials. He wasn’t getting the jobs as quickly as he thought. That’s where perseverance starts in. You have to – I hate to use the adage, you have to separate the wheat from the chaff, but you can’t be the chaff. In risk management, the jobs are out there. I do this all the time, Chris. I’ll go out whether I’m interested in a position or not, I just do a sampling, what’s out there, do a key word search against these job databases to see what they’re asking for. Then, if you’re starting out entry level, you look at what they’re asking, what credentials do I have to have? Ask yourself the question, Do I have? If I don’t, how do I acquire them?”

Community colleges are a cheap way of getting training. But I’m here to tell you, I’ve worked with a lot of training providers, your skills IQ. You’re allowing people to pay like $500, $599, I think it is, annually and to be able to take your multitude of courses.

[00:16:49] CSIENKO: Yeah.

[00:16:49] CSTEVENS: How do you beat that?

[00:16:50] CSIENKO: Yeah. That’s such an important thing, especially if you said, if you want to pivot into other areas, that it’s all still – you have so many different paths to the treasure, so to speak.

[00:17:04] CSTEVENS: I’ll give you an example. I looked at the information for your IC3 cap certification learning path, extremely important. Risk plays an important part of that. If you want to grow as an authorization professional, if you understand risks from the standpoint of aligning security, assessments from the line of confidentiality, integrity, and availability, and then walking through the designing. Before you actually put that process or that system in place, you’ve gone through a rigorous risk management piece. That’s adaptable in the public sector of the private sector.

For software engineers out there, constantly assessing risks, secure coding, and things like that before you get software as full above that you’ve offered and you fell on the after production.

[00:18:02] CSIENKO: Yeah. DevSecOps and the whole thing. Now, to wrap things up, you mentioned this a little bit. But for our listeners who are ready to get started in information risk analyst positions, what’s something they could do right now, right after they turn this video off that will move them a step closer to the goal of becoming an information risk analyst?

[00:18:22] CSTEVENS: I think the first thing you do is ask yourself, you look at where you are now. This applies to students, so students that are entering the workforce for the first time, where do I want to work? What type of work do I want to do? If you’re interested in risks, risk management or some aspect of risks, and you have to go to those job boards, you have to see what’s out there, what they’re asking for and build the credentials. If you’re dissatisfied where you are in a career, where are the working efforts. You’re the help desk person, a call center person, you have some understanding of information security, you start looking to see from a risk perspective, now, how can I do that internal to my organization? Where do I have to go? Then you have to lay out what are those skills you have to acquire, and then start to acquire those.

I wasn’t born a risk manager. This isn’t a path. It’s like my favorite poem in the world, The Road Not Taken. I’ve taken many other roads to get there, but I took a chance on risk management and it’s changed my life forever. I have to thank the InfoSec Institute for helping me with my journey.

[00:19:30] CSIENKO: I love that. Well, Chris Stevens, thank you for your time and insights today. This was so much fun. I really appreciate it.

[00:19:35] CSTEVENS: Now you got me excited. There’s some spontaneous combustion going on over here. I don’t want to implode on the camera, but I enjoy talking about this topic.

[00:19:44] CSIENKO: Absolutely. I hope you all have enjoyed listening to this. If you’d like to know more about other cybersecurity job roles, please check out the rest of the videos in InfoSec’s Career Video Series. Until then, we’ll see you next time.

[00:19:56] CSTEVENS: Take care, everyone.