Awareness Continuum

What Are the Problems with Risk Management? 

by Lazarus Alliance 0 Comment
Comprehensive risk assessment solutions by Lazarus Alliance  

In our previous article, we discussed the concept of risk management–what it is and why it’s important. 

However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts. 

While this move is a good one, we also find that many organizations will over-rely on frameworks as an end-all, be-all approach to security, which can prove more confusing than helpful. 

 

What Are Risk Management Frameworks?

Assessing risk is more than measuring gaps between existing infrastructure and business or technical priorities. In its most practical form, risk is a way to gain a comprehensive view of your systems so that your organization can make plans for the present and future. 

More importantly, risk management helps your organization align its business and security goals with major priorities, whether spending and finance or compliance. It’s almost impossible to do so without understanding how these systems work with one another in real-time. 

Finally, modern risk assessment is all about addressing modern security challenges. Cybersecurity threats are complex, leveraging cracks in your armor–especially those that arise from interconnected systems. Risk assessment allows you to see how those components interact with one another.

Actually, working with risk management as an organizational priority calls for a structured approach–which is why many professional and regulatory bodies provide risk management frameworks to support enterprises in multiple industries. 

A risk management framework provides a structure for organizations to apply best practices and metrics to their existing systems and structure their assessments of those systems around front-to-back processes. Some of the most well-known risk management frameworks provide a process that enterprises with no experience in risk management can still implement. 

Some of the most established and well-known frameworks include the following:

 

The NIST Risk Management Framework

The National Institute for Standards and Technology (NIST) governs the major requirements for almost every piece of cybersecurity regulation in the U.S. government. If a government agency or third-party vendor has cyberinfrastructure requirements, they are most likely working under NIST guidelines.

In a move to emphasize risk management as the foundation of cybersecurity, NIST is looking to require risk assessment as a primary activity for compliance. It has implemented the Risk Management Framework (RMF) as a blueprint for enterprise organizations working in or with the government. 

The RMF is defined in the NIST Special Publication 800-37, “Risk Management Framework for Information Systems and Organizations, “supplemented by NIST Special Publication 800-30, “Guide for Conducting Risk Assessments.” 

As a broad framework, the RMF divides the risk management journey into seven distinct steps:

  1. Prepare: Preparing your organization for adopting risk management principles, including identifying stakeholders, filling key management roles, codifying strategies and policies and identifying standard controls. 
  2. Categorize: Taking inventoried controls and applying levels of risk based on impact on organization and owners of information based on questions of confidentiality, privacy, integrity and availability. 
  3. Select: Selecting required security controls, based on existing infrastructure and security needs, from NIST SP 800-53, including any system-specific components and monitoring solutions. 
  4. Implement: Implementing selected controls based on findings and levels of acceptable risk.
  5. Assess: Assessing the effectiveness and correctness of the control implementations, including their operability, configuration and success or failure within a given scope of application. 
  6. Authorize: Authorizing key personnel to access information from controls, including strategy and policy documentation, to make decisions regarding risk and infrastructure.
  7. Monitor: Implement and leverage ongoing monitoring solutions to maintain control operations, including notifying administrators about suspicious activity, responding to and mitigating breaches and remediating security issues. 

 

ISO 31000 Risk Management

risk management challenges

The International Organization for Standardization (ISO) releases several standardization documents for technical processes, procedures and implementations with the idea that standard guidelines can benefit professionals and consumers. 

One of these standards, ISO 31000, outlines the ISO risk management framework. This framework, much like its NIST counterpart, provides organizations with the scaffolding they can use to implement their risk management approach. Unlike NIST, however, it isn’t required as part of a regulation or governance standard. ISO provides standards to organizations that might not have mandatory requirements placed upon them, but want to make risk management part of their approach to security. 

ISO 3100 breaks down risk management into eight core principles:

  1. Inclusivity: Risk management should include all of an organization’s relevant stakeholders.
  2. Dynamism: Risk management should change and evolve as the organization does, and as it faces new security threats, risk assessments should respond accordingly. 
  3. Utilizing Best Available Information: Organizations should strive to gather and use the best, most up-to-date information available, understanding that no data is 100% complete. 
  4. Incorporating Human and Cultural Factors: Risk assessments should never limit themselves to technology only, as human risk factors are the most relevant and dangerous to overall security. 
  5. Continually Improving: ISO expects continuous improvement, particularly when applying mitigation and remediation efforts. 
  6. Integrating: Risk should exist in all business processes, not simply technical ones. 
  7. Comprehensively Structuring: Risk management strategies should comprehensively cover all potential risk factors and systems across the organization. 
  8. Customizing: ISO 31000 standards should be implemented in ways meaningful to the organization, not as an ad hoc or rigid framework. 

 

What Are the Challenges of Using a Risk Management Framework?

Risk management is the future of compliance and cybersecurity. As major standards creators and maintainers seek to address the challenges of modern security threats, they are increasingly moving to models where risk assessment is the first step in addressing these concerns. 

And, on the one hand, that’s fantastic. In many ways, older forms of cybersecurity were over-dependent on checklists and spreadsheets–that is, in printing out system specs and completing a form. 

This works great if security is limited to easy-to-understand and quantifiable gaps. However, most of us know that security rarely falls into these categories. Even in 2022, phishing and social engineering are one of the most dangerously effective forms of attack in the wild. Furthermore, the expansion of Advanced Persistent Threats (APTs) has come about precisely because attackers can leverage weaknesses in the connections between complex cloud apps, hybrid IT infrastructures and third-party vendors. 

However, the drawback to risk management frameworks is that they are abstract. While the RMF or ISO 31000 can guide how to implement some best practices to manage risk, they can’t speak to the unique needs of your business, industry, or even client relationships. Reading through the RMF sometimes feels like a bird’s eye view of a football field, which can be frustrating when all you want to see is how you can best push the ball two yards for a first down. 

That makes investigating and implementing risk that much more difficult. While checking down a checklist isn’t the best way to operate your cybersecurity, having a more concrete framework can streamline some of the more difficult parts of risk assessment, especially when it comes to rapidly changing infrastructure or edge cases where different technologies meet. 

 

Are You Working Towards Your Risk Management Posture?

Then work with a company that knows risk assessment, compliance and real security implementation. Work with Lazarus Alliance and the Continuum GRC ITAMs platform.

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

Download our company brochure.

Glowing Neon malware sign on a digital projection background.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading

Stay ahead of federal and industry security alerts with Lazarus Alliance. Featured

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading

Make sure that your software is secure with or without AI. Trust Lazarus Alliance. featured

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading

mnage security against insider threats with Lazarus Alliance. featured

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading

Manage identity security and compliance with a trusted partner in Lazarus Alliance. featured

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading

Harden security against new AI attack surfaces. Work with Lazarus Alliance. featured

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading

Stay ahead of CMMC changes with Lazarus Alliance. Featured

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading

Lazarus Alliance helps enterprises manage identity security and data governance.

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading

FedRAMP Authorization assessments from Lazarus Alliance. featured

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading

Get expert monitoring and security support with Lazarus Alliance featured

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading

No image Blank

Lazarus Alliance

Website: