Volker Schwaberow
Volker Schwaberow
Challenges in Cyber Risk Management
Table of Contents

Challenges in Cybersecurity Risk Management

In my over 20 years as the “security guy,” if there’s one thing I’ve learned, it’s this: Risk management always looks easier on paper than it really is. Let me share some of the daily challenges we face when trying to get our cybersecurity plans off the ground. Sure, there are many well-documented processes for identifying and reducing risks, but putting those into practice is a different ball game. In this article, I’m diving into some big hurdles companies face while trying to nail down solid cybersecurity risk management. We’ll talk about asset registers, risk registers, and all those other crucial pieces of the puzzle.

The fast-changing nature of cyber threats makes risk management a real headache. Organizations must stay on their toes with all these new attack methods, vulnerabilities popping up left and right, and the sheer number of potential threats. It’s not just tricky; it’s a resource sink that needs constant attention and tweaks. And let’s not forget the ever-changing rules and regulations—always another compliance hurdle to jump over. Keeping up with these demands can be exhausting, and sometimes, it feels like as soon as you’ve caught up, the goalposts move again.

Cybersecurity risk management isn’t just about throwing fancy tools and frameworks at the problem. It’s about getting everyone on board and creating a real security culture within the organization. Let’s face it, you can have all the high-tech gear in the world, but if the folks using it need to be aware of the risks or know their role in mitigating them, it’s all for nothing. People are often overlooked in the risk equation, but they are one of the puzzle’s most critical pieces. You can have all the firewalls, intrusion detection, and shiny dashboards. However, you’re still vulnerable if your staff needs to be tuned in. At the end of the day, cybersecurity is PEOPLE.

Building an Asset Register

Let me tell you, building an asset register is like cleaning out your garage—you think you know everything that’s in there. Still, there’s always something you forget about. It’s essentially a big list of everything you’ve got—servers, software, endpoints, networks, data stores, the whole shebang. In cybersecurity, an ‘asset’ is anything valuable to the organization—information, software, hardware, you name it. There are two big categories: information assets and supporting assets. Information assets include customer data, intellectual property, and all that juicy, critical stuff. Supporting assets are the things that help you store, process, or transmit the information—servers, laptops, and network gear. The trickiest part is not just making this list but keeping it current. Because let’s be honest, things are always changing. New stuff comes in, old stuff gets replaced, and somewhere along the way, something is bound to fall through the cracks if you’re not careful.

I’ve seen it happen more times than I can count: an outdated asset register that no one touched for years, and then something unaccounted for becomes a huge vulnerability. To avoid that, I always say it’s not just about listing assets; it’s about keeping them alive. And yeah, it’s a pain. Automated tools that scan the network can help, but there’s always some manual work. I’ve learned to make it everyone’s job. Every department, from IT to HR, should know they’re responsible for keeping their part of the list updated. This collective effort ensures that the asset register remains comprehensive and up-to-date.

  • Do regular checks.
  • Assign someone to be in charge of updates.

These steps aren’t rocket science, but they help you keep things under control. The reality is, it’s never done—there’s always something new and always something changing. It’s a living document, just like everything else in cybersecurity.

While these measures help keep the asset register comprehensive and reduce manual effort, the process is only partially finished. Maintaining an accurate asset register requires continuous effort, especially as organizations grow and adopt new technologies. By developing a culture of accountability, where every department understands the importance of updating the asset register, you can ensure that the information remains current and accurate.

Creating an effective asset register isn’t just about tracking devices and software; it’s also about understanding each asset’s value to the organization and its role within the broader infrastructure. Asset criticality should be assessed regularly to ensure that attention is focused on the most important components. This assessment also helps prioritize the allocation of resources when addressing vulnerabilities or implementing security controls.

Documenting Risks in the Risk Register

The risk register is basically your personal notebook of everything that could go wrong—and let me tell you, it’s usually a long list. It’s got all the risks, how likely they are to happen, what kind of damage they could do, and what you can do about them. But here’s the thing: evaluating those risks is tough, and everyone has a different take on what’s most important.

I remember one time when we had this massive disagreement between teams. The IT folks thought a certain server was mission-critical, while another department figured it was just another piece of equipment. Spoiler alert: It was critical, and thankfully, we caught it before something went sideways. The key here is to get everyone at the table—different departments see risks from totally different angles, and that’s exactly why you need them involved.

  • Get stakeholders together to align on risks.
  • Use teams to spot dependencies.
  • Set standard criteria so everyone’s on the same page.

Consistency is key. And remember to bring in outside experts every now and then. They see stuff we overlook because we’re too deep in the weeds. Fresh eyes never hurt; sometimes, they spot something right in front of you the whole time. While sometimes seen as a burden, external audits can bring a fresh perspective and highlight blind spots that internal teams may overlook.

Moreover, organizations should keep tweaking their risk registers to keep up with the constantly changing threat landscape. These aren’t meant to be one-and-done documents—they need to evolve as the organization grows and new types of risks pop up. Regular updates to the risk register and ensuring it aligns with the business strategy keep risk management efforts on point. Instead of just sitting on a shelf, the risk register should be a living, breathing document, helping the organization stay ahead rather than playing catch-up.

Challenges in Integration

I am always honest—integrating cybersecurity into everything else the business does is like trying to mix oil and water sometimes. Security teams do their thing, business teams do theirs, and never the twain shall meet—at least that’s how it often feels. I’ve been in meetings where the business folks look at us like we’re from another planet, and we look back, wondering why they don’t see the risks we’re discussing.

Collaboration is key, but it can be challenging. Getting security pros and operational folks to work together is like getting cats and dogs to get along. But when it works, it’s magic. Suddenly, instead of being that annoying department that always says ‘no,’ security becomes part of the process, and everyone starts to understand the value.

Then there’s the whole question of where cybersecurity fits in the organization. Is it part of IT, or does it stand alone, reporting to the CISO? Each has its perks. Integration tends to be smoother when it’s part of IT because everything’s under one roof. However, when cybersecurity is independent and reports directly to senior leadership, it can focus on governance and risk management without getting drowned out by IT’s day-to-day priorities. From my experience, there’s no one-size-fits-all here—it’s all about figuring out what works best for the specific needs and culture of the company. It’s annoying that after these years, I still see discussions about when a Chief is a Chief and when he is not. There is too much bias in this discussion.

What’s really essential is to incorporate cybersecurity considerations into new projects right from the planning stage. Guess what. All the standards mention this hard time. Instead of adding security controls as an afterthought, controls should be built into project requirements from the start. This concept, often called “security by design,” ensures that security measures are a natural part of the workflow, minimizing friction and reducing costs associated with retrofitting security measures later on.

Resources for Effective Risk Management

Now, when it comes to risk management, you can’t just wing it. You need standards and frameworks—otherwise, you’re just guessing. Frameworks like ISO 27001 or NIST CSF are the go-tos for a reason: they help you get organized, understand where the risks are, and figure out what to do about them. But let’s be real—these frameworks can be overwhelming. They’re great, but they’re like trying to swallow a whale.

What worked for me was breaking it down. Start with the basics—the most critical parts. Focus on getting those right, and then build from there. Trust me, if you try to do it all at once, you’ll burn out your team and yourself.

Here’s my approach:

  • Do a gap analysis and find out what’s missing.
  • Use templates. No need to reinvent the wheel.
  • Bring in experts—sometimes you just need a guide.
  • Train the team because a tool is only as good as those using it.
  • Automate where you can. Manual work gets old fast.

It’s a grind, no doubt. Compliance is more than just a one-and-done deal. It’s more like running on a treadmill—sometimes you’re making progress, sometimes you’re just trying to keep up, but you’ve got to stay on it.

The Final Thoughts of a Security Manager

Sometimes, my job feels less like juggling and more like conducting an orchestra—except new musicians keep walking in halfway through, and the sheet music changes every few minutes. There are a bunch of different instruments (or risks) that need attention, and each one wants to play a solo at the worst possible time. Some instruments are the ones you expect—assets, vulnerabilities, compliance—like violins and cellos. But then, out of nowhere, someone brings in a tuba that represents a surprise vendor issue or a new regulation. Now, you must figure out how to fit that in without throwing everything else off balance.

And sure, sometimes it feels like there’s a trumpet player just blaring nonsense, representing an unforeseen audit or a surprise supply chain problem. But here’s the thing—it’s the unpredictability that keeps things exciting. It’s not about making the orchestra sound perfect because, let’s face it, there’s always someone out of tune. It’s more about making sure the music keeps going, even if you must improvise.

There have been days when I think everything is finally in sync, only to discover that the percussion section—maybe an overlooked endpoint—has been playing offbeat the whole time. But that’s where you learn: you adjust, recover, and somehow make it work. Honestly, that’s what makes this job both maddening and weirdly satisfying. It’s about finding harmony in the chaos and making sure, no matter what, that the show goes on.

So yeah, one orchestral piece at a time—sometimes we’re off-key, sometimes we hit all the right notes, but we always find a way to keep the performance going.