Learning to Identify Cybersecurity Risks with NIST has become the defining skill for modern security leaders, and the story below shows why.At 3:47 a.m. on a Tuesday in 2025, a Fortune 500 CISO’s phone lit up with an alert that, six months earlier, would have been a non-event: a single login from a contractor’s laptop. By 4:12 a.m., the attacker had pivoted to payroll. By 6:30 a.m., the board chair was on a bridge call.
The forensic post-mortem later traced everything back to one line item in a risk register that read ‘third-party access — medium likelihood.’ The likelihood was never medium. It just hadn’t been re-scored in 14 months.
| 1. NIST Cybersecurity Framework (CSF) 2.0, released February 2024, added a sixth core function — Govern — which makes board-level oversight a first-class element of how you identify cybersecurity risks with NIST. |
| 2. The global average cost of a data breach fell to $4.44 million in 2025, but U.S. breaches hit a record $10.22 million. Organizations that use security AI and automation extensively save $1.9 million per breach and contain incidents 80 days faster. |
| 3. Ransomware now appears in 44% of all breaches and 88% of small-business breaches. Phishing still initiates more than 90% of successful intrusions. Any risk identification program that doesn’t explicitly map these two vectors is under-scoped. |
| 4. Third-party and supply-chain breaches doubled year-over-year to 30% of all breaches. If your vendor inventory, contract clauses, and continuous-monitoring stack can’t answer ‘who can reach our data right now?’ in under 60 seconds, that is your top finding. |
| 5. AI-powered attacks rose 72% year-over-year, and deepfake incidents grew 2,137% over three years. Layer NIST AI RMF controls onto your existing CSF 2.0 implementation rather than running them as parallel programs. |
| 6. The Identify function is the foundation — but it only pays off when its outputs feed Govern (risk appetite), Protect (control selection), and Detect (threat modeling) through a single risk register that the board actually reads. |
| 7. Programs that treat identification as a one-time exercise leave themselves exposed. Continuous asset discovery, quarterly reassessment, and dynamic KRIs are the 2026 table stakes. |
If you are trying to identify cybersecurity risks with NIST in 2026, the problem is no longer a shortage of frameworks — it is a shortage of practitioners who treat identification as a living discipline rather than an annual audit artifact.
The NIST Cybersecurity Framework 2.0 gave us new architecture, a sixth function (Govern), and a much sharper view of how cyber risk intersects enterprise risk. But architecture is not execution.
This playbook rebuilds the original 14-tip article from the ground up. It speaks to the board member asking hard questions at a risk committee, the second-line risk officer trying to translate NIST SP 800-53 controls into plain English, and the practitioner who has to choose what to automate next quarter.
Every recommendation maps to CSF 2.0, ISO 31000:2018, and the 2025 threat data that actually reshaped our profession this year.
Why the Old Playbook to Identify Cybersecurity Risks with NIST Broke
The original version of this article referenced a $3.86 million average breach cost and five CSF functions. Both numbers are out of date.
The IBM Cost of a Data Breach Report 2025 now puts the global average at $4.44 million — a 9% drop from 2024 driven largely by faster AI-powered detection.
But the U.S. figure hit a record $10.22 million, and the breach-identification window remains stubbornly long at 241 days. For readers rebuilding their underlying cybersecurity risk management program, that 241-day signal is the one to anchor the business case on.
Meanwhile, NIST itself moved the goalposts. In February 2024 it released CSF 2.0, adding Govern as a sixth core function and elevating supply chain, AI, and privacy concerns.
The 2019 approach of ‘run a CSF assessment once a year and map the gaps’ no longer clears the bar regulators, insurers, and boards set. Our earlier walk-through of NIST framework examples for cybersecurity risks is still useful for the mechanics, but every scenario in it deserves a 2.0 refresh.
Figure 1: The old article cited $3.86 million. 2025 reality is higher, with a record U.S. figure of $10.22M. Anyone trying to identify cybersecurity risks with NIST needs to recalibrate loss magnitudes annually.
The gap between what the 2023 guide said and what 2026 practitioners need looks like this:
| Dimension | 2023 Assumption | 2026 Reality |
| Core functions in CSF | 5 (Identify, Protect, Detect, Respond, Recover) | 6 — Govern added in CSF 2.0 (Feb 2024) |
| Average breach cost | $3.86M (global) | $4.44M global / $10.22M U.S. (IBM 2025) |
| Ransomware prevalence | Rising threat | Present in 44% of breaches; 88% of SMB breaches (DBIR 2025) |
| Supply-chain breaches | Emerging concern | 30% of all breaches (2× YoY); 297 incidents in 2025 |
| AI-related risk | Not covered | 72% YoY rise in AI attacks; NIST AI RMF now live |
| Board engagement | Quarterly dashboard | Real-time KRIs + risk appetite statements tied to Govern |
The Six Functions Every NIST Cybersecurity Risks Program Must Master in 2026
Bridging from the legacy model to the current one starts with a hard relook at the six functions.
Practitioners who still describe CSF as ‘the five pillars’ are missing the point of the 2024 revision. Each function answers a different strategic question when you identify cybersecurity risks with NIST:
Figure 2: The NIST CSF 2.0 ring — Govern (red) is the 2024 addition that moves risk identification from an IT exercise into a board-level governance discipline.
Govern — Where Boards Actually Identify Cybersecurity Risks with NIST Oversight
Govern is the function the original 14-tip article never mentioned — because it didn’t exist yet. It covers organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.
In practice, it asks: who owns cyber risk decisions, what appetite have they set, and how do they verify that first-line teams stay inside it?
For boards and risk committees, Govern is the lever. The U.S. GAO and SEC’s 2023 cybersecurity disclosure rules have both pushed cyber oversight upstream. Organizations that still treat CSF as an IT project fail here first.
Bolt Govern into the same muscle you use for enterprise risk management — same committees, same taxonomy, same appetite statement — so cyber doesn’t live in a parallel universe.
Identify — The Function That Defines the Rest of NIST Cybersecurity Risk Work
Identify covers asset management, business environment, governance, risk assessment, and risk management strategy (pre-2.0). It’s where you build the inventory of what you actually have — hardware, software, data, people, partners, and the processes that depend on them.
A 2026 Identify function that doesn’t pull from a CMDB, a data catalog, a third-party inventory, and a shadow-IT discovery feed is incomplete.
The practitioners who identify cybersecurity risks with NIST most effectively treat asset visibility as an input, not an output. If you’re still building that foundation, our guide on how to conduct a risk assessment walks the Identify-function steps end-to-end with templates you can reuse.
Protect — Translating NIST Cybersecurity Risks into Control Design
Protect turns identified risks into control choices. This is where NIST SP 800-53 Rev. 5 and ISO/IEC 27001:2022 do their heavy lifting.
Strong identity and access management (including MFA on every privileged account), encryption in transit and at rest, and awareness training are table stakes. Pair the control design with a structured view of risk mitigation strategies so that every control has an owner, a cost, and a residual-risk estimate.
The 2026 twist: Protect now explicitly covers AI model access, prompt-injection defenses, and deepfake-resistant authentication flows.
Detect — How NIST Cybersecurity Risks Become Visible in Real Time
Detect is where the 241-day breach-identification figure comes from — and where AI-augmented monitoring has delivered the clearest ROI.
Organizations using security AI and automation saved $1.9M per breach and shaved 80 days off their containment window in 2025.
If your Detect stack can’t ingest endpoint, identity, network, cloud, and SaaS telemetry into a single view, it’s falling behind. Strong key risk indicators with amber/red thresholds turn that telemetry into decision-ready signal instead of dashboard noise.
Respond — Playbooks That Reflect 2026 NIST Cybersecurity Risks
Respond is the part most organizations think they have covered until they actually use it. The CISA threat advisories and ENISA incident response guidance both show that ransomware playbooks need updating roughly every six months.
Legal hold, regulatory notification windows (the SEC’s four-day clock is now enforced), insurance engagement, and crisis communications all belong in the Respond playbook. A companion incident response plan walkthrough covers the hour-zero, hour-one, and day-one decisions most organizations get wrong first.
Recover — Bringing NIST Cybersecurity Risks Back Under Control
Recover closes the loop. It’s where ISO 22301 business continuity disciplines meet cybersecurity. Recovery time objectives, tested backup integrity, post-incident reviews, and board reporting all live here.
Most organizations score adequately on plans and poorly on exercises — which is why tabletop and full simulation cadence is the best proxy for Recover maturity.
If you haven’t lined up your cyber playbooks with your business continuity plan and disaster recovery architecture, start there before you buy another tool.
The 2025 Threat Data Reshaping How We Identify Cybersecurity Risks with NIST
The functions tell you where to look. The data tells you how hard to look. If the original article’s lone statistic was a single IBM number, this rewrite leans on three primary-source datasets that shaped 2025: the Verizon Data Breach Investigations Report, the IBM Cost of a Data Breach Report, and the NISTIR 8286A integration guidance.
Figure 3: 2025 threat-vector prevalence. Any effort to identify cybersecurity risks with NIST that omits ransomware, phishing, and third-party access is missing more than half the modern attack surface.
Ransomware now appears in 44% of breaches (up 37% YoY) and 88% of SMB breach cases. Phishing — still the oldest trick in the book — initiates more than 90% of successful intrusions according to CISA.
The median ransom paid dropped to $115,000 as more victims refused to pay, but recovery costs and downtime did not.
Treat these two vectors as default entries in every CSF Identify risk register, and reinforce them with ransomware-specific risk assessment and phishing-focused control testing rather than generic awareness decks.
Supply Chain, AI, and the New NIST Cybersecurity Risks Frontier
Ransomware and phishing are the classics. What separates 2026 programs from 2023 programs is how they treat two newer risk domains: supply chain and AI.
Figure 4: Third-party breach share doubled in 2025, while supply-chain attack incident counts nearly doubled year-over-year. Identify-function work that stops at the corporate firewall now misses the dominant intrusion path.
Thirty percent of breaches now involve a third party. The NIST C-SCRM program and its companion publication NIST SP 800-161r1 give you the architecture: vendor inventory, criticality tiering, contractual controls, continuous monitoring, and offboarding.
Practitioners who identify cybersecurity risks with NIST in a supply-chain-aware way carry a living vendor register with real-time risk scores, not an annual spreadsheet.
If you’re starting from scratch, the third-party risk management fundamentals walk-through lays out the operating model, from onboarding due diligence through exit.
Figure 5: AI-powered cybersecurity risks exploded in 2025. The practitioner response is the NIST AI RMF, not a separate standalone program.
Then there is AI. AI-powered attacks rose 72% year-over-year, deepfake fraud attempts surged 2,137% over three years, and U.S. financial-fraud losses tied to AI reached $12.5 billion in 2025.
Most organizations are not ready: 80% lack formal deepfake response protocols, per DeepStrike’s 2026 threat report. NIST’s response is the AI Risk Management Framework — layer it onto CSF 2.0 rather than running it as a parallel silo.
The Identify function expands to cover model inventory, training-data provenance, and prompt-injection attack surfaces. Readers building out AI governance should start with the AI risk management primer and work the CSF crosswalk from there.
A Seven-Step Method to Identify Cybersecurity Risks with NIST
Theory tells you why. This section shows you how. Here is a seven-step method that practitioners can run end-to-end in a quarter, adapted from NIST SP 800-30 and tested against every 2025 threat pattern above.
If you want a quantitative companion, the quantitative risk analysis primer shows how to turn these steps into Monte Carlo-ready models.
| # | Step | What it produces | Primary tooling |
| 1 | Define scope and context (Govern + Identify) | Business-aligned risk universe; risk appetite statement | CSF 2.0, ISO 31000, board-approved charter |
| 2 | Inventory assets, data, and dependencies | CMDB + data catalog + vendor register + AI model register | ServiceNow, Axonius, OneTrust, third-party risk platforms |
| 3 | Identify threats and vulnerabilities | Threat catalog tied to MITRE ATT&CK; current CVE feed | MITRE ATT&CK, CISA KEV, vulnerability scanners |
| 4 | Assess likelihood and impact | Quantified risk register (qualitative + monetized tail risk) | FAIR, NISTIR 8286A, Monte Carlo models |
| 5 | Prioritize with risk appetite and materiality | Treatment decisions (accept, mitigate, transfer, avoid) | Risk committee, heatmap, 3LoD sign-off |
| 6 | Design controls and monitoring (Protect + Detect) | Control map aligned to SP 800-53, KRIs with thresholds | SP 800-53 Rev. 5, ISO 27001 Annex A, SIEM/XDR |
| 7 | Monitor, re-score, report (Govern + continuous) | Board dashboards; quarterly re-assessment; lessons learned loop | GRC platform, exercise program, red/purple teaming |
A Worked Example — How One Mid-Market Firm Used NIST to Identify Cybersecurity Risks
Consider a 1,200-employee manufacturing firm with three plants, six major suppliers, and a recently deployed AI-based quality inspection system.
Walking the seven-step method looks like this: the GRC lead runs a Govern workshop to reaffirm a ‘no uninsured losses over $5M’ appetite; the security architect maps assets across on-prem OT, cloud, and the AI inference stack; the threat team overlays MITRE ATT&CK for ICS and CISA KEV; a FAIR model estimates loss exposure at $8.3M with 80% confidence for the top three scenarios (ransomware on OT, vendor compromise, deepfake CFO fraud).
The board accepts two risks inside appetite and directs $2.1M of control spend at the rest — mostly on network segmentation, identity modernization, and a phishing-resistant MFA rollout.
Three quarters later, a simulated deepfake wire-fraud attempt fails because the treasury team followed a callback protocol designed from that exercise.
This is what it looks like when a program actually works, and the pattern maps cleanly to the operational risk management discipline most mid-market firms already have. The risk register template library has the starter scoring rubric we used in this example.
Implementation Tiers — The NIST Cybersecurity Risks Maturity Ladder
Having a method isn’t the same as running it well. NIST CSF 2.0 describes four Implementation Tiers — Partial, Risk Informed, Repeatable, and Adaptive — that signal how mature your program actually is.
Honest self-assessment here is what separates practitioners who quietly improve from those who repeat the same board slide for three years.
Our cybersecurity maturity model breakdown cross-walks CSF tiers with CMMC levels and ISO 27001 certification stages for programs that need to straddle all three.
Figure 6: NIST CSF Implementation Tier distribution by sector, 2025 composite estimate. Most mid-market and SMB organizations sit in Tiers 1–2; Adaptive (Tier 4) remains rare outside regulated finance.
| Tier | What ‘good’ looks like | Typical risk register cadence | What to push next |
| 1 — Partial | Ad hoc risk identification; no formal processes; limited awareness | Annual or event-driven | Build a real asset inventory; adopt a standard taxonomy |
| 2 — Risk Informed | Policies exist but not consistently applied; leadership aware but not engaged | Semi-annual | Stand up a governance committee; define risk appetite |
| 3 — Repeatable | Organization-wide approach; formal processes; regular updates | Quarterly | Quantify top risks; integrate with ERM; add continuous monitoring |
| 4 — Adaptive | Continuous improvement; predictive analytics; real-time KRIs | Continuous | Integrate AI risk management; run purple-team exercises quarterly |
Regulatory and Standards Context for NIST Cybersecurity Risks in 2026
Regulators have caught up to practitioners. Identifying risks now has statutory weight in most major jurisdictions, which is why the Govern function matters so much.
Anyone who attempts to identify cybersecurity risks with NIST without mapping the parallel compliance obligations runs the risk of a technically sound program that still gets fined.
The compliance risk management overview pairs this table with the ownership-and-evidence model most regulators now expect.
| Regulation / Standard | What it requires | CSF 2.0 mapping |
| SEC cybersecurity disclosure rules (2023, enforced 2024+) | Material incident disclosure within 4 business days; annual risk management discussion | Govern, Identify, Respond |
| EU NIS2 Directive (effective October 2024) | Risk-based approach, supply chain controls, incident reporting within 24 hours | Govern, Identify, Protect, Respond |
| EU AI Act (2024, phased implementation 2025–2026) | Risk classification of AI systems; governance for high-risk models | Govern, Identify (AI register) |
| HIPAA Security Rule (updated 2025 proposed rule) | Risk analysis as required safeguard; encryption; MFA | Identify, Protect |
| ISO/IEC 27001:2022 | ISMS requirements; 93 Annex A controls; continual improvement | Full CSF mapping; SP 800-53 crosswalk available |
| DORA (EU financial services, 2025) | ICT risk management, third-party oversight, resilience testing | Govern, Identify, Respond, Recover |
Where Programs to Identify Cybersecurity Risks with NIST Stall — And How to Unstick Them
The seven-step method and the tier model are useful. They don’t explain why most programs plateau at Tier 2.
The honest answer is that identification work gets hard once the easy wins are captured.
Here are the patterns that derail programs and the moves that actually work. For an adjacent view focused on design, see our risk management framework design guide — the ‘framework theatre’ trap it describes is the cousin of every pitfall below.
| Pitfall | Root cause | Remedy |
| Risk register full of IT jargon no board reads | Risk identified by technical teams in isolation | Rewrite every risk statement as Cause → Event → Consequence; test with a non-technical director |
| Third-party risk is a spreadsheet, not a program | Procurement owns vendors; security owns data; neither owns risk | Create a joint vendor risk committee; automate continuous scoring; run yearly critical-vendor tabletop |
| Controls mapped but never tested | Compliance mindset vs. assurance mindset | Attestation + testing + exercise; 3LoD independence on at least top 10 risks |
| AI risk treated as a separate universe | New topic, new framework, new team | Embed NIST AI RMF into existing CSF Identify register; one unified top-risks view |
| Board dashboard red for 18 months straight | KRIs without thresholds tied to appetite | Every KRI gets a green/amber/red threshold and an owner with authority to act at amber |
| Annual assessment, no continuous signal | Compliance calendar drives work | Shift to quarterly partial reassessments; continuous monitoring on Tier-1 assets |
| Tabletop exercise that never fails | Scenarios designed to validate, not stress | Introduce independent red team; require at least one ‘failure mode’ scenario per year |
Frequently Asked Questions About How to Identify Cybersecurity Risks with NIST
What is the difference between identifying cybersecurity risks with NIST CSF and NIST SP 800-30?
CSF 2.0 is the outcome framework — it tells you what you should be able to demonstrate (Govern, Identify, Protect, Detect, Respond, Recover). SP 800-30 is the methodology — it tells you how to actually run a risk assessment (scope, threat identification, likelihood/impact, prioritization).
In practice, you use CSF 2.0 to define target outcomes and SP 800-30 to generate the evidence underneath.
The NISTIR 8286 series then helps you integrate the output into enterprise risk management so that cyber risk shows up alongside financial and operational risk on the board heatmap.
How often should I reassess risks when I identify cybersecurity risks with NIST?
Tier 1–2 organizations typically run annual assessments, but that cadence leaves too much drift in 2026. The working standard for Tier 3 organizations is a full reassessment annually plus quarterly partial reassessments on critical assets and continuous monitoring on the highest-tier risks.
Any asset, vendor, or process that changes materially (new cloud migration, new third party, new AI model in production) should trigger an ad-hoc reassessment.
The original article’s implicit ‘set it and forget it’ approach is what the 2025 breach data punished.
Does the Govern function replace my existing ERM program when I identify cybersecurity risks with NIST?
No. Govern makes cyber risk a first-class citizen in ERM rather than a side program. In the Three Lines model, Govern is what the second line and board do.
You still run a single enterprise risk framework (usually ISO 31000 or COSO ERM), but your cyber register feeds into it with consistent scoring, taxonomy, and appetite language. When the two don’t reconcile, it’s almost always the cyber register that needs cleanup, not the ERM one.
Which NIST controls matter most if I only have budget for ten?
From SP 800-53 Rev. 5, start with: AC-2 (Account Management), AC-17 (Remote Access with MFA), AU-2 (Audit Events), CM-2 (Baseline Configuration), CP-9 (System Backup with tested restore), IR-4 (Incident Handling), RA-3 (Risk Assessment),
SA-12 / SR-3 (Supply Chain Protection), SC-8 / SC-13 (Encryption in Transit and at Rest), and SI-4 (System Monitoring). These ten control families cover roughly 70% of the attack paths in the 2025 DBIR and map cleanly to the CSF Identify, Protect, and Detect functions.
How do I identify cybersecurity risks with NIST for AI systems specifically?
Use the NIST AI RMF (AI 100-1) as a companion to CSF 2.0. The core functions — Govern, Map, Measure, Manage — are deliberately CSF-adjacent.
In practice: maintain an AI model inventory (what runs where, trained on what, used for what decisions); extend your Identify function to cover training data provenance and model access;
Add specific threat categories for prompt injection, model extraction, and deepfake-enabled social engineering; treat high-risk models as Tier-1 assets with continuous monitoring.
Regulators under the EU AI Act and emerging U.S. executive orders will require this documentation anyway.
What is the fastest way to improve maturity when I identify cybersecurity risks with NIST?
The highest-leverage move for a Tier-1 or Tier-2 program is not a new tool — it’s a clean asset inventory. Every Tier 3+ program I’ve audited traces back to getting the CMDB, data catalog, and vendor register under one governance model.
Once you know what you have, the rest of the CSF work becomes possible. Without that foundation, every downstream step (threat modeling, control mapping, monitoring) is guesswork.
Budget permitting, pair the inventory with a phishing-resistant MFA deployment — these two moves together change the risk profile more than almost any other combination.
How does identifying cybersecurity risks with NIST integrate with ISO 31000 and COSO ERM?
Cleanly, if you plan it. ISO 31000:2018 gives you the universal risk process (establish context, identify, analyze, evaluate, treat, monitor, communicate). COSO ERM 2017 gives you the governance and strategy layer.
NIST CSF 2.0 gives you the cyber-specific outcomes and controls. The trick is to use one taxonomy across all three — most programs fail by maintaining separate registers. Our ISO 31000 primer and COSO ERM walk-through show the exact crosswalks.
Map every cyber risk in CSF terms and reflect it back into your ERM register using the same likelihood and impact scales. NISTIR 8286A is the bridge document that explains how to do this formally.
What evidence should I keep to prove I actually identify cybersecurity risks with NIST?
At minimum: a dated risk register with owners, scores, and treatment decisions; evidence of asset, vendor, and data inventories tied to the register; the scoring methodology (qualitative matrix and any quantitative model).
Board or risk committee minutes that show the register was reviewed and appetite decisions made; test and exercise logs; third-party attestations where relevant; and incident post-mortems that connect findings back to the register.
Auditors, regulators, and cyber insurers all ask for the same artifacts — build once, reuse everywhere.
The Next Wave: Emerging NIST Cybersecurity Risks Practitioners Can’t Ignore
The FAQ answers what practitioners ask today. This section is what they’ll be asked in 2027. Three shifts are already visible in the data and in NIST’s own roadmap. Programs that plan for them now will not be scrambling in 18 months.
First, quantum-resistant cryptography goes from strategic planning to operational project. NIST’s post-quantum cryptography standards (ML-KEM, ML-DSA, SLH-DSA) were finalized in August 2024. Federal agencies must have a migration plan in 2026.
Every other sector is roughly 12–24 months behind that curve. Identify-function work should now include a cryptographic inventory — what uses RSA, what uses ECC, what data is harvest-now-decrypt-later exposed.
Second, AI-on-AI defense stops being a marketing slogan. With 72% annual growth in AI-powered attacks and 76% of organizations saying they can’t match attacker speed, the only viable answer is automated detection and response at machine scale.
Expect 2026–2027 CSF profile work to explicitly cover autonomous-agent governance — who authorizes an AI defender to take containment action, under what thresholds, with what audit trail.
Third, third-party risk becomes a board-reported KRI, not a procurement checklist. Cascading supply-chain incidents with thousands of downstream victims are now routine. Regulators increasingly require continuous monitoring and contractual right-to-audit.
The leading practice in 2026 is a real-time supplier risk score feeding a top-10 dashboard the risk committee actually reviews, with named remediation owners and deadlines. Our board risk reporting playbook shows how to present these numbers without drowning the committee in detail.
None of this replaces the fundamentals. If you want to identify cybersecurity risks with NIST in a way that survives the next five years, anchor the work in CSF 2.0, use SP 800-30 as your method, integrate AI RMF where models appear, layer ISO 31000 or COSO ERM above it, and iterate quarterly.
The practitioners who win this game aren’t the ones with the most tools. They’re the ones whose risk register actually reflects reality the morning after an incident.
If you’re rebuilding your program to identify cybersecurity risks with NIST this year, we help boards, risk officers, and CISOs do exactly this — from risk appetite statements through quantified scenarios to tier-3 maturity programs.
Explore the Risk Publishing advisory services or get in touch to discuss your CSF 2.0 roadmap.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.