Year after year, cyberattacks are intensifying. According to Check Point Research (CPR), global cyber incidents on corporate networks increased by 38 percent in 2022 over the previous year. A recent article in TechRepublic reported that hackers and industry watchers at a roundtable organized by HackerOne observed that generative AI services and products such as ChatGPT and other large language models are potentially susceptible to “malicious prompt engineering” and other cyberattacks.

As threats continue to increase and evolve, businesses and government departments must devise effective security strategies to minimize exposure to attacks and respond to incidents efficiently and without hampering business operations. IT risk management is the conception and implementation of a risk management strategy to strengthen an organization’s information systems infrastructure and address threats.

IT risk comprises vulnerability, threat, asset, and cost. IT risk managers are responsible for preventing, identifying, analysing, evaluating, prioritising and responding to threats.

IT industry research firm Gartner advocates a security strategy with a “human-centric focus.” Gartner emphasizes the importance of users, technical security capabilities that enhance visibility and response, and a security strategy that enables nimbleness without weakening IT security.

Data breaches and system downtime can be caused by human error, cyberattacks, infrastructure failure or natural or man-made disasters, such as war, terror attacks, and civil disorder.

Managing risk is vital

IT risk management has become crucial for businesses, governments, and public institutions. Cyberattacks and data breaches can cause significant harm in terms of consumer risk, financial loss, adverse reputational impact, and disruption of public services.

As companies continue to invest in new technologies and applications in order to stay competitive, their risk exposure also increases. It is imperative to define and implement a strategy comprising security policies, best practices, cybersecurity training for employees, implementation of controls and tools, and updating security patches.

According to data protection and threat intelligence provider Flashpoint, more than 4,000 data breaches were reported across the world in 2022. In the United States, government and the finance and retail industries were the prime targets of threat actors. Of cyberattacks advertised on dubious online marketplaces the most common were hacking services and malware, including phishing services, and exploits.

It is prudent to stay abreast of data breaches in order to protect IT assets from the latest threats. Knowing what bad actors target and how can help one determine an effective security strategy. Many security experts emphasize the importance of prevention over detection.

Starting your risk management journey

IT risk management is currently a high-growth occupation. Skilled and experienced IT security professionals are in high demand. According to the U.S. Bureau of Labor Statistics, job prospects for information security analysts are promising. BLS analysts expect roles in this field to grow by 35 percent between 2021 to 2031.This is significantly higher than the average rate for other occupations.

To begin a career in IT security, you need experience in a related area of information technology and required skills. There are a range of entry-level roles, including network security administrator, computer forensic investigator, penetration tester, security specialist, and security analyst.

Most companies require tech professionals who have a minimum of 1-to-3 years of experience in a related field, such as networking or systems administration, for entry-level cybersecurity roles. Once you have hands-on knowledge of the fundamentals of computer security and have earned some experience, you should be able to identify a suitable specialty. Information security is a broad field that offers experienced and qualified professionals opportunities to opt for strategic or tactical roles.

Computer forensics deals with figuring out how hackers have exploited vulnerabilities. Application security is about identifying weaknesses and rectifying them.

IT governance, compliance and risk management are strategic functions. You can specialize in a specific area or advance to strategic roles, such as information security manager, lead security engineer, senior security analyst or chief security officer.

Educational background

Not everyone treads the same path to a career in IT risk management. There are various routes, of which a bachelor’s degree in computer science, engineering or related field is probably the most direct. It is possible, however, to get an entry-level job with a few years of hands-on work experience in a related IT field, a portfolio of projects, and a relevant recognized certification. Some employers hire tech professionals without an academic degree if they have solid experience and demonstrable skills and knowledge of security basics.

Large and medium-sized enterprises usually require at least a bachelor’s degree in computer science, information technology, engineering, or math. A degree enables students to develop in-depth understanding of computer systems, network architecture, programming and information security.

Not everyone has the time or resources to enrol for a full-time bachelor’s program. Some opt for independent study. Non-formal learning includes online courses, videos, and contributing to projects on online forums to develop real-world knowledge.

Relevant industry certifications, such as CompTIA Security+ and Certified Information Systems Security Professional (CISSP), are valued by some employers. A CompTIA Security+ certification along with the right work experience may improve your chances of landing an entry-level IT risk management job.

Professional networking is also important. Connect with security professionals on LinkedIn, join online forums, and attend information security events in order to meet people in the same profession and gain exposure.

Certification

Recognized security certifications, such as CompTIA Security+ and Certified Information Systems Security Professional, provide evidence of mastery of hands-on skills necessary for information security roles, as well as of the holder’s commitment to professional advancement. There is a shortage of skilled information security professionals, both in the United States and elsewhere, posing a challenge for employers looking to recruit qualified and trained professionals for IT risk management roles.

In this scenario, professionals with experience in networking or systems administration and a relevant security certification have better chances of being hired for entry-level IT security positions.

Popular certifications include:  

CompTIA Security+

CompTIA Security+ is the most sought-after entry-level certification for tech professionals looking to pursue a career in information security. This vendor-neutral credential is recognized globally and designed to validate baseline capabilities and hands-on knowledge of basic security functions.

In the United States, CompTIA Security+ is recognized by corporations and government agencies (including contractors) alike. Critically, Security+ meets the DoD 8570 baseline for federal government employment.

Additional information is available online.

SANS GIAC Security Essentials (GSEC)

SANS GIAC Security Essentials is a basic security certification that demonstrates practical skills in handling access control, password management, AWS instance security, container and MacOS security, cryptography, mobile security, data loss prevention, Linux fundamentals, secure network architecture, and other system security functions.

Additional information is available online.

Certified Information Systems Security Professional (CISSP)

Certified Information Systems Security Professional (CISSP), offered by cybersecurity professional association (ISC)², is an advanced certification for experienced security professionals. This time-tested credential validates the expertise required to design, execute, and manage an effective security strategy.

CISSP is quite possibly the most high-demand advanced information security credential. Many employers require this certification for certain mid-level IT security roles. CISSP also fulfils the US DoD Directive 8570.

Additional information is available online.

Other popular security certifications for those interested is pursuing a career in risk management include ISACA’s Certified Information Security Manager (CISM) and Certified Information Security Auditor (CISA), and the Certified Ethical Hacker (CEH) certification offered by EC-Council.

IT risk management can provide dynamic and rewarding career paths to IT professionals who choose to specialize in information security. Relevant experience, qualifications, and skill set (including analytical, problem-solving, and communications acumen), as well as keen attention to detail, should help ensure that you have a long career.

‍