Cybersecurity Pros: You May Be Missing the Most Important Skill

Are you looking to get into the cybersecurity field? Are you already in the cybersecurity field? If so, it’s critical that you become intimately familiar with risk management.

Let me tell you why.

You’ve got goals, right? Maybe it’s getting fit, saving for a dream trip, getting married/divorced or starting a business. Whatever the goal, the moment you set it, guess what shows up? Risk! It’s like two sides of the same coin — goals and risks are inseparable.

They always arise together.

A risk, by the way, is any unexpected event that could occur and impact your goal. For businesses, risk is the potential for monetary loss.

Risks can occur for better (opportunities) or worse (threats). When you set a goal to eat healthier in 2023 (for example), what risks (positive and negative) can influence or impact that goal?

Positive risks could be a gift of a gym membership for your birthday or your cousin’s wedding announcement and request that you be in the wedding (which may provide incentive to fit into a smaller size).

Negative risks to eating healthier could be an unexpected tragic event that causes you to be depressed and seek comfort in food, or a poor support system that encourages you to keep up your unhealthy eating habits.

Each of these risks can influence your goal. What framework do you have in place to manage and monitor the positive and negative risks to your goal?

If you’re winging it and have no understanding of the risks or a clear understanding of how to manage and monitor them, then be prepared to fail (without learning)…over and over and over again.

Cybersecurity is all about protecting goals from intolerable risks.

This is why risk management should be the first lesson taught and learned for EVERY cyber professional, including the technical folks (e.g., pentesters, red teamers, programmers).

We need to clearly understand why we are learning to network and why security is so important when it comes to securing and protecting protocols.

Teaching and learning cybersecurity without clearly understanding risk management (the why) is like teaching and learning about healthy relationships by watching Pornhub.

Yes, sex is an important part of healthy relationships but not always and not every relationship. Also, sex is not the “why” upon which most healthy relationships are established and continue to thrive.

Similarly, proficiency at Hacking the Box or Penetration Testing (puns intended) does not translate to a cybersecurity professional capable of defending and protecting families, businesses, and groups from intolerable risks.

Risk management is a critical aspect of cybersecurity because it helps us (and the organizations we own and work for) identify, assess, and prioritize potential threats to the systems, data and people essential to accomplishment of the organization’s goals.

It allows organizations to implement appropriate controls and processes to avoid, transfer, or mitigate negative risks AND to exploit, share, and enhance positive risks.

Of course, cybersecurity risk management also helps organizations comply with industry regulations and standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA).

In short, knowledge and practice of risk management is essential for ensuring we know what the hell we’re doing… and why.