Defining SRM Models, Roles and Functions
Information security risk manager’s main role is to treat risks according to the organizations level of tolerance. The ISR managers identify, assess and treat risk according to the three principles of data. The managers enhance, confidentiality, availability and integrity of assets in the organization (Choi, 2016, page, 638). Managing information risk is a continuous task which depends on the input, such as, the assessment plans, communication, and the technology applied. The ISR managers identify vulnerabilities which include the weaknesses of the information systems and software. Also, the managers identify assets in the organization, especially assets that would play an important role in enhancing security.
Managers identify threats and controls meant to address deficiencies in the organization, for example, the safety net. After identification, managers assess the information collected about the threats, vulnerabilities and controls. During the assessment, managers are expected to calculate the probability of the risk (Choi, 2016, page, 638). Calculating probabilistic risk requires the threats, vulnerabilities and the assets to get the final security control. After the assessment, managers are required to conduct treatment which can be informed of, transference, mitigation, remediation, avoidance and acceptance.
The treatment option is determinant on the nature and the level of threats and vulnerabilities. Managers communicate with other stakeholders concerning the implementation of controls and measures necessary. Since the ISR managers the leader, the manager ensure the stakeholders are responsible and accountable for the security of information systems. Managers ensure all members of the ISRM own their part and roles for the continuity of the management process. For instance, risk owners and process owners (Choi, 2016, page, 638). The ISR manager collaborates with the company relationship manager (CRM) to gather all the information required to assess and treat the risk.
On the other hand, the cybersecurity risk manager (CRS) deals with cyber insurance, organizations security system and programming. The CRS manager protects the organization from cyber-attacks by implementing cybersecurity and physical security. The major difference between the ISR and CRS is the fact that CRS manager deals with cybersecurity protection which includes detection, response and recovery (Quigley, Burns, and Stallard, 2015, page,108-117). In contrast, the ISR deals with risks of information systems, through identification, assessment and treatment process. The cybersecurity managers are divided into program security manager and a technical security manager who takes charge of the security systems, such as encryption, scanners and firewalls. The program security manager takes charge of data privacy, vendors and the role of the third party. A CRS manager monitors policy compliance and regulatory compliance.
Additionally, the cybersecurity risk manager implements new technology systems such as new risk controls, enhance maintenance of security technology, enhance consistency in security audits and ensues cybersecurity is a priority in the organization. Cybersecurity managers are expected to know their place and ensure new technology and programs are tested frequently before use. In large organizations, the chief information security office (CIO) takes the role of the cybersecurity manager in briefing the board members. Still, in small organizations, the cybersecurity manager takes the lead.
The CRS and the ISR managers deal with the same issue of security, especially since security is the main concern today. Both managers ensure security is maintained in the organization following the unique processes (Quigley, Burns, and Stallard, 2015, page,108-117). The managers aim at protecting the organization from cyber threats where the ISR ensures the information systems are well equipped and ready to fight the threats through identification, assessment and treatment of the vulnerabilities and weaknesses in the information systems., while the CRS ensures the organization is protected from cyber threats through detection of threats, response and recovery. The ISR prepares the organization information systems for cyber threats, and the CRS manager deals with the threats and recovers the organization enhancing continuity of business.
The CRS and ISR manager’s roles overlap since both deals with the protection of information technology systems and the professions are from the field of security risk management . The cybersecurity policies and strategies are designed to enhance technical and programming safety of the information systems similar to the ISR. Both managers deal with security issues and primarily aims at securing the organization from cyber threats. CSRM profession is expanding where the program enhances the application of qualitative and quantitative methods of risk prevention (Quigley, Burns, and Stallard, 2015, page,108-117). Professionals are now taught how to identify risks and plan for future risks.
The profession will use different and advanced learning options which will encourage most professions, for instance, self-spaced online learning. Due to the increase in cybersecurity threats, the Cyber Security Risk Management (CSRM) has developed advanced governance [practices which will enhance cybersecurity in future (Best, 2017,page, 16-21) . The increased cases of deterioration, disruption and distortion have enabled the industry to employ and train more cybersecurity professions. In the next decade, the cybersecurity industry will be using wireless emergency alerts (WEA) which will provide critical information about cybersecurity to the public.
The CSRM plans include the adoption of WEA where the technology will provide information about threats and vulnerabilities, and the technology will be able to prioritize and organize risks according to the impact. Also, WEA will provide information about the roles and mitigation of cybersecurity threats and risks (Best, 2017,page, 16-21). The government will also expand its function through data stratification, customization of management policies and strategies and use of enterprise risk management (ERM) in accordance to the National Institute of Standard and Technology (NIST).
List of References
Best, B., 2017. Futureproofing our profession. Newsli: The magazine for the Association of Sign Language Interpreters in the United Kingdom, 99, pp.16-21.
Choi, M., 2016. Leadership of information security manager on the effectiveness of information systems security for secure sustainable computing. Sustainability, 8(7), p.638.
Quigley, K., Burns, C. and Stallard, K., 2015. ‘Cyber Gurus’: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection. Government Information Quarterly, 32(2), pp.108-117.