So You Want to Be a Cyber Risk Analyst
Good choice - There are an estimated 3.5 million unfilled jobs in cybersecurity worldwide right now and the position of cyber risk analyst is on the cutting edge of career choices, as more organizations wake up to the realization that effective cybersecurity starts with solid (and quantified) risk analysis.
Let's talk about three things you can do to help you become a Cyber Risk Analyst. But first…get acquainted with Factor Analysis of Information Risk (FAIR™) the risk analysis method that’s changing the industry’s entire outlook on cybersecurity risk. Read a quick introduction in the eBook by Jack Jones, creator of FAIR, An Executive’s Guide to Cyber Risk Economics, then invest in Jack’s book, Measuring and Managing Information Risk. If you’re an undergraduate, your school may offer the FAIR Institute’s University Curriculum.
1. Review how you think…
From what I have seen, it’s not always about how much education you have but more so your ability to critically think through a problem. Lets look at an example modeled on the philosophical trolley problem:
As a risk analyst, should you be worried about the company’s bottom line or about how many customer records would be affected in a breach? Or in other words do the needs of the one (company) outweigh the needs to the many (customers)?
The answer is, it depends. Being able to break down a problem is the important part. If you can successfully decompose the scenario causing the breach you can help the decision maker answer that question, especially by putting it in quantitative ranges.
Watch this video on creating a risk scenario.
2. Assess what you know…
Continuous improvement is a hot trend right now. As a risk analyst, it important to be able to know and communicate your expertise. As alluded to before, that doesn’t mean you need a specialized degree in a particular field but learning new things about cyber or a new skill set does help. In cyber, it could be as simple as a certification or training (like FAIR training) or learning how to present effectively to executives. Taking steps to develop those “soft skills” is always a good idea. It could even be as simple as checking out various blogs or podcasts on risk.
Learn about FAIR training and certification.
3. Connect with others…
We all know in the business world getting a job is not all about what you know but sometimes who you know. Get out there.
Network. Join professional organizations like the FAIR Institute, the Society of Information Risk Analysts (SIRA) or the Global Association of Risk Professionals (GARP). Get involved. Not only are these good opportunities to meet new people but it also gives you an opportunity to learn from others. Sometimes that may mean reaching out to someone in the industry and asking them to mentor you.
Check out the FAIR Institute’s events
In the end, be open to what you don’t know. Especially if you are just starting out. To take a quote from Jerry Colangelo former owner of the Phoenix Suns:
“Be a sponge. Spend as much time as possible with people who truly know their craft and be a great listener. That is how you learn!”
Decision Support at Equinix | Behavioral Practitioner | Perpetual Rethinker
2yGreat article Tim. Another positive message helping to make entry into the risk management field less intimidating and more attainable. I also just about always send people the way of the risk analyst hype session, as I like to call it, put out by Jack Jones back in 2017. I’ll always remember being so stoked about diving into this field full force after this one: