The path of my career is like the path of many others. It began from simple beginnings: college, entry-level tech support role, moving up to be the “network guy,” then eventually into management. Along the way I was constantly learning and taking certifications. A lot has changed in the past 20-plus years, but reflecting back, something that has not changed is the need to manage risk.
Looking back, risk management has always been a key component of working in information technology even if it was the small “r” version of risk management. For example, when working a help desk and triaging tickets, the ticket that gets immediate attention is often directly related to the level of risk that it presents.
So, if risk management (even the small “r” version) has been being practiced for all these years, why should you change what you are doing now? THREATS! The number of threats an organization now faces is larger than ever before. Coupling that with exposure, which increases the likelihood of a threat affecting your organization, means that if you don’t have your game face on, there is a good chance a bad day is in store for you sooner rather than later.
My path to becoming CRISC-certified
That being said, what is one to do? Start practicing BIG “R” risk management. Sure, I admit, it is easy to get caught up in the hype of the latest (fill in the letter) DR solution (EDR, XDR, MDR, etc.). I like cool tools as much as the next person, but, if you are not aligning those tools with an identified risk, how do you know it is helping? How do you know spending lots of money on a tool is the most effective way to treat the risk? Maybe a simple process change is just as effective.
Wanting to practice BIG “R” risk management is what led me to becoming CRISC-certified. I have always been someone who needs a goal, a defined path to aid in my learning, and pursuing a certification helps with that.
Another motivator for learning BIG “R” risk management was being able to effectively communicate risk to management. In my opinion, too often IT and cybersecurity are seen as always looking for more budget for some new gadget that may or may not be needed. Being able to communicate in a language the business understands and connecting the dots with the organization’s goals and objectives is crucial to being successful in getting the resources you need to do the job properly.
Having an IT/security background is not required before attaining your CRISC, but it definitely helps. There are a lot of terms, concepts and principles covered that I had previously learned, and not having that base would have been an additional challenge and required more preparation time.
So, what is BIG “R” risk management? The answer to that lies in the four domains the CRISC is broken down into:
Domain 1: Governance
What are the goals and objectives of the organization and how will risk management align with them?
What structure will be put in place to oversee risk management activities?
Who is responsible for the different aspects of risk management? Better yet, who is the person who makes the decision on how to respond to the risk? Who is accountable?
What is the organization’s risk profile, and how will you monitor for changes to it?
What is the organization’s risk capacity and tolerance levels?
How does risk management fit with the legal, regulatory and contractual requirements of the organization?
Domain 2: IT Risk Assessment
How do you identify risk?
What are risk scenarios and how can you use one to understand risks and potential impact?
What is the root cause of the risk?
Understanding different risk assessment methodologies
Domain 3: Risk Response and Reporting
What are the different options for responding to and treating risk, and why would you choose one over the other?
What risks do third parties and emerging technologies present?
What is a risk treatment plan?
How do you select the appropriate controls including design, implementation and testing?
How do you monitor risk, including your chosen risk treatment plan to ensure that it is reducing risk to the desired level?
What are the different types of indicators to monitor your risk management activities?
Domain 4: Information Technology and Security
Overview of key cybersecurity concepts:
What are core aspects of information technology operations and what risks do they present and/or treat?
What are the different cybersecurity frameworks and standards that can aid your activities?
How does risk management fit into project management and the systems development lifecycle?
Privacy and business continuity management concepts
How did I prepare for the CRISC?
As previously mentioned, having a solid background in information technology and cybersecurity helps, especially for Domain 4. My suggestion if you do not have that background is to explore options such as ISACA’s Cybersecurity Fundamentals Certificate.
For preparation material I used:
CRISC Review Manual 7th Edition: This review manual does a good job at covering all the material you need to know. I did not feel there were any questions on the exam I was blindsided on.
CRISC Review Question, Answers & Explanations 6th Edition: Testing your knowledge is key. My method is to work through all the questions, fully reading all the explanations. Even if I answered the question correctly the explanations for the other incorrect answers helped solidify the information. After working through the questions, any question I answered wrong I made sure to go back to the CRISC Review Manual and thoroughly cover the topic again.
Additional Training: I also enrolled in a continuing education course from the University of Toronto, “Cybersecurity Risk Assessment, Treatment and Reporting.” This course covered many of the CRISC domains (with a NIST perspective) but the primary reason I chose to take it was the collaboration with peers and the hands-on aspect. I firmly believe you can pass the CRISC just with the two books mentioned above, but engaging in group discussions and putting the learning into practice through class assignments was a welcomed addition to my study.
So, what are you waiting for? Take the leap and learn about BIG “R” risk management!