A career in Cybersecurity Governance & Risk Management

Working within this specialism in cybersecurity is about protecting the security of an organisation’s information systems and data, by setting policies, monitoring compliance and following defined procedures to identify, assess and manage risks from external and internal threats, all guided by the organisation’s view of any risk.

What will be your responsibilities?

As a Practitioner:

  • draft cyber security policies and procedures, taking an account of an organisation’s legal, regulatory and operational requirements
  • identify cyber security risks, posed by the combination of vulnerabilities and threats, to the security of an organisation’s information systems and data
  • assess the impact and likelihood of identified cyber security risks
  • propose measures - including avoidance, mitigation, sharing and acceptance - to manage risks
  • create and maintain a risk register or include the cyber security risks in the organisation’s overall risk register

As a Senior Practitioner:

  • manage governance and risk management practitioners
  • contribute to an organisation’s high-level risk strategy and the definition of its risk appetite
  • identify the requirement for policies and procedures and monitor their production and updating
  • approve policies and procedures
  • set up and maintain the arrangements for managing cyber security risk
  • engage with heads of business departments to demonstrate the cyber risks which the organisation faces through existing processes and to recommend changes to them
  • assess and report on the effectiveness of company risk management standards and policies

What skills will you need?

Transferable soft skills:

  • taking account of multiple complex factors to arrive at logical, repeatable conclusions
  • verbal and written communication, especially in producing formal documents which are comprehensive and without ambiguities
  • presenting logical, objective reasons for all decisions made

Specialist skills: 

  • using statistical, mathematical or financial techniques to assess the likelihood (taking account of vulnerabilities and threats) and impact of cyber-attack techniques and deliberate or unintentional damaging actions by people within the organisation
  • applying risk management methodologies, such as those in ISO 27001, and sector-specific requirements, such as PCI-DSS
  • interpreting legal and regulatory requirements and integrating them with an organisation’s operational requirements
  • assessing the compliance of procedures and practice with agreed standards

Transferable skills from a different career path:

  • roles in the emergency services, especially fire and police services, which require substantial risk management
  • operational and staff roles in the Armed Forces
  • business risk management
  • business operations
  • IT system management
  • business continuity
  • financial or internal audit
  • specialist commercial insurance assessment

let's talk

Sign up to our Cyber security newsletter