Risk is always involved when it comes to information security. One of the most important positions within information security is the Risk Manager. This position goes by many different names, such as Risk Management Professional, Information Security Risk Manager, Risk Analyst, Risk Control Supervisor, Cybersecurity Risk Manager, Information Technology Risk & Security Specialist, Chief Risk Officer, Security Architect, and Security Risk Management. Regardless of what it’s called, the Risk Management Professional is on the front lines in fighting cybercrime, identifying and prioritizing threats to a company’s security and protecting its assets.
Risk management professionals typically work directly for a company as part of its information security team. In addition to the above-mentioned duties, risk managers monitor how effective a company’s risk management processes are, and make changes where necessary. It is important for the risk management professional to know all of the company’s operational, financial, compliance, technology and asset-related risks.
Becoming a risk management professional isn’t something that you can do right out of school. It does require at least three to five years of experience in information security, as well as educational and professional credentials. Jobs for risk management professionals may be available at consulting levels as well as within companies and government agencies. If you would like to explore the world of risk management further, please keep reading to discover how you can become a risk management professional.
Education and Experience Required to Become a Risk Management Professional
A bachelor’s degree is usually the minimum requirement for a risk management position within information security. Some employers prefer candidates to have a Masters of Business Administration (MBA) degree or a degree in finance.
Take a look at our Cybersecurity Bachelor’s Degree guide to find bachelor’s degree programs in your state that can help you to get started on the path towards becoming a risk management professional. They include:
- Bachelor of Science in Cyber Security – Friends University, Wichita, KS
- Bachelor of Science in Computer Information Systems – Hampton University, Hampton, VA
- Bachelor of Science in Information Systems – Cybersecurity Emphasis – Southern Utah University, Cedar City, UT
- Bachelor of Science in Business Administration – Enterprise Risk Management – Johnson & Wales University, online
Experience in risk management is also necessary before you can work in the field. Consult our Guide to Cybersecurity Internships to find applicable opportunities that you can achieve while you are still in college.
Industry certification is offered through the Professional Risk Managers’ International Association (PRMIA) and can be quite helpful to those seeking to work in risk management. Certifications available include:
- Operational Risk Management Certification (ORM)
- Associate Professional Risk Manager Certification (Associate PRM)
- Credit and Counterparty Risk Manager Certification (CCRM)
- Market, Liquidity and Asset Liability Management Risk Manager Certificate (MLARM)
Other industry certifications that are valuable for risk management professionals are:
- Certified Information Systems Security Professional (CISSP)
- Certified in the Governance of Enterprise IT (CGEIT)
- ITIL Expert (Information Technology Infrastructure Library)
- Certified Information Systems Auditor (CISA)
- GIAC Security Leadership Certification (GSLC)
- Certified Professional in Healthcare Risk Management (CPHRM)
- Certified Fraud Examiner (CFE)
- Certified Risk Analyst (CRA)
- Certification in Risk Management Assurance (CRMA)
- Certified in Risk and Information Systems Control (CRISC)
Job Description & Skills Required for a Risk Management Professional
Your job duties as a risk management professional will, of course, depend upon your job setting. Some responsibilities that risk management professionals will have include, but are not limited to:
- Establish key risk indicators and monitor them
- Implement corrective action plans to mitigate risks
- Analyze transactions, internal reports and financial information for potential fraud risks
- Maintain reports on significant risks and recommendations
- Create policies and procedures and control assessments responding to identified risks
- Evaluate company’s internal control framework effectiveness in addressing risks and accomplishing goals
- Provide training and technical support to employees on risk management programs and strategies
- Understand all applicable regulations, guidelines and industry best practices to minimize risk and ensure compliance
- Develop, maintain, audit security documentation like policies, procedures and standards
- Monitor internal control effectiveness
- Conduct internal security assessments to ensure compliance
- Explain roles in managing risk to partners
Skills, abilities and knowledge that is valuable for risk management professionals are:
- Good decision-making skills
- Excellent technical abilities and skills
- Excellent judgment
- Ability to communicate effectively both orally and in writing
- Leadership skills
- Great analytical skills to form a better picture of risk
- Problem-solving ability
- Integrity
- Strong consulting skills
- Thorough knowledge of information security and related technologies
- Ability to determine trends and tendencies
- Organization and attention to detail
- Adaptability and flexibility
- Thorough understanding of the major categories of risk: market risk, credit risk, operational risk and reputational risk
- Current knowledge of security technology
- Current knowledge of security threats
- Project management skills
- Curiosity and information seeking skills
- Monitor legal and regulatory environment for recent developments
Risk Management Professional Salary & Job Outlook
Payscale.com notes that the average salary for security risk management professional in the United States is $90,537. Those who work in information security and finances tend to earn higher salaries, as risk managers with CFE certification earn an average salary of $98,465 according to the Association of Certified Fraud Examiners (ACFE). Salaries of various top employers for risk management information security analysts, per Payscale.com, include:
- Vision Service Plan (VSP) $108,000
- General Dynamics Information Technology, Inc. $100,000
- IMI $96,000
- Northrop Grumman Corporation $93,000
- Lockheed Martin Corporation $90,000
The Bureau of Labor Statistics (BLS) notes that it expects job opportunities for risk managers to increase by 19 percent through 2026. While this is a faster than average increase, the rate can vary by industry. Any way you look at it, it seems that there is little risk in studying to become a risk management professional in information security!