Cyber Risk Management – Top hints & tips

Embarking on a risk-based approach in cyber security is a significant undertaking. However, at CRMG we believe it is the right approach in order to effectively protect your organisation’s critical assets, and as a result, your brand and reputation. We have a team with many years’ experience in cyber risk, and so we have produced a high-level list of recommendations to any organisation starting on this journey.

  1. Focus on those systems and data assets that are business critical

Identify your critical assets. A Business Impact Assessment is a useful tool to help establish an objective and business driven approach to classifying your “crown jewel” assets.

  1. Establish a practical process that incorporates the fundamentals of information risk

Review methodologies and frameworks that will work for your organisation. There are many complex and ‘powerful’ approaches to assessing cyber risk, but they may not all be easy to translate within your business. Start off with a “lite” approach first and build up from there on.

  1. Validate GRC products to help streamline and semi-automate the cyber risk process to minimise staff utilisation

It won’t be long till you out grow excel sheets and it will be time for you to conduct trend analysis, automation of risk assessments and reporting to a wide variety of key personnel, and this is where an industry strength GRC product becomes key.

  1. Present the business argument to help establish a cyber risk approach (e.g. target investment, quick wins, best practice)

You need to present why a cyber risk approach is key in today’s world. Greater dependency on technology, greater exposure to attack and irrecoverable impact from a breach.

  1. Establish a phased approach (do not attempt to boil the ocean)

Plan this as a project. Build in awareness and training. Nominate a cyber risk manager to spend their time on conducting a series of pilot assessments before embarking on an enterprise roll out

  1. Extrapolate the risk insights to other areas of the security programme (e.g. policy update, awareness, and education)

The outputs from the risk assessments MUST be used to support other security-based decisions – what messages are needed for the awareness campaigns? what budget should be determined for next year.

  1. Promote the approach to your clients and partners

Your clients will understand the value of a risk-based approach, so package an executive overview for them. Such an approach will build assurance and confidence if handling their data.


In summary, without knowing what ‘good’ looks like or where to start, organisations cannot reap the benefits of a risk-based approach – becoming more proactive rather than reactive; having a comprehensive view of risk to better direct budget; be able to fill gaps in cyber security programmes to become more robust – and generally saving time, money and the headache of a data breach.

In our Cyber Risk Assessment masterclass, we share a phased approach that can be applied to your business and what ‘good’ looks like. Watch the masterclass on-demand here.



Nick Frost              
Co-Founder & Director