Managed effectively, cybersecurity risk management can strengthen organisational resilience, protect reputation, and build trust with customers and stakeholders.
In a recent webinar, Daryl Flack, co-founder and CISO of BlockPhish, joined Praxis42 to share practical insight drawn from more than two decades of leading cybersecurity programmes across complex organisations, including supporting the UK Government.
In this article, we share Daryl’s insights, covering the key components of an effective cybersecurity risk management strategy, and explaining how organisations can put those principles into action with confidence.
The threat landscape is ever changing
Cybersecurity doesn’t exist in a vacuum. Wider geopolitical tensions can increase attack volumes, shift targets, and create “collateral damage” where incidents aimed elsewhere spill into UK organisations. That’s one reason the UK’s technical authority, the National Cyber Security Centre (NCSC), has repeatedly urged organisations to bolster online defences and ensure incident response plans are ready.
But beyond geopolitics, today’s threat landscape is shaped by two truths:
- Every organisation has something of value. Personal data, commercially sensitive information, intellectual property, access to client systems, and reliable cashflow all create opportunity for extortion or fraud.
- Attackers don’t need brilliance — they need time and opportunity. Many breaches rely on human interaction: a convincing email, an urgent request, a familiar brand, or a moment of distraction.
At Praxis42, we experienced first-hand how subtle and sophisticated attacks can be. An attacker gained access to an Office 365 account and quietly monitored email traffic before attempting to persuade a client to change bank details for a routine payment. The compromise only came to light when the client queried the unusual request.
It was a powerful reminder that cyber incidents are not always dramatic or immediately visible. Without robust monitoring, clear processes and a structured approach to managing cybersecurity risk, organisations can be compromised without realising it.
Cybersecurity resembles safety management
One of the most useful ways to think about cybersecurity is through the lens of risk management.
In health and safety, competence, reporting culture, and routine vigilance keep people safe day-to-day. Cybersecurity is similar. Controls matter, but so does the organisational muscle memory that says: pause, check, challenge, report.
That comparison is more than a metaphor. It influences your cybersecurity and risk management approach:
- You focus on behaviour, not blame.
- You make reporting easy and safe.
- You train little-and-often, not once-a-year.
- You design the system to tolerate human error — because humans will err.
This cultural foundation is central to any effective cybersecurity risk management process.
Ransomware is one of the most disruptive threats
Ransomware remains one of the most disruptive threats because it has evolved from simple encryption into multi-pronged extortion. Today, attackers may:
- encrypt systems to halt operations,
- exfiltrate data to enable “hack and leak” pressure,
- delete data or damage backups to remove recovery options, and
- launch denial-of-service attacks to compound disruption and reputational harm.
The anatomy of an attack is often predictable: an initial foothold (frequently phishing), followed by attempts to disable protections, move laterally, identify valuable data, destroy backups, and then trigger maximum disruption.
The key takeaway for risk management in cybersecurity is clear: assume compromise is possible and ensure recovery is realistic.
Why personal cyber habits matter
Hybrid working has blurred the boundary between personal and corporate security. The habits people practise at home become the habits they bring to work, and vice versa.
To ensure effective cybersecurity in the office, encourage strong cyber habits at home too. Practical steps include:
- using a reputable password manager (especially for large numbers of accounts),
- enabling multi-factor authentication on key services,
- keeping devices and apps up to date with automatic updates,
- backing up data (with attention to ransomware risk), and
- using built-in protections like device encryption and firewalls.
None of this removes the need for scepticism. Even multi-factor authentication can be defeated with sophisticated phishing. But these steps reduce the number of easy wins attackers rely on and support overall cybersecurity risk management best practices.
The ten steps of a cybersecurity management programme
What does a successful cybersecurity management programme look like in practice? This structured ten-part framework forms a practical blueprint for strengthening resilience and supporting a robust cybersecurity risk management strategy across your organisation.
1. Risk management
Make risk-based decisions that reflect your organisation’s risk appetite, regulatory obligations, and priorities. Effective cybersecurity risk management ensures resources are targeted where they matter most.
2. Engagement and training
Leaders must set the tone. Effective training is bite-sized, regular, role-aware, and built around dialogue. People need to know what good looks like and feel safe reporting mistakes quickly.
3. Asset management
You can’t protect what you don’t know exists. Identify critical services, systems, data, and dependencies. Keep the inventory current and retire assets securely.
4. Architecture and configuration
Build and configure systems to be secure by design, maintainable, and easy to update. Reduce complexity where possible and design for detection, not just prevention.
5. Vulnerability management
Apply patches promptly, manage legacy systems sensibly (including segmentation), and maintain clear vulnerability disclosure processes so issues can be raised and resolved quickly.
6. Identity and access management
Control access based on need, use strong authentication (including multi-factor), and monitor for anomalous behaviour.
7. Data security
Protect data in line with its value and risk. Back up properly (including offline options) and securely sanitise or destroy storage media at end of life.
8. Logging and monitoring
Don’t drown in alerts. Define what “useful” looks like, focus on the events that matter, and build clear playbooks for investigation and response.
9. Incident management
Prepare concise, usable response playbooks and practise them. A 200-page plan won’t help in a crisis. Include communications planning and consider external support for protracted incidents.
10. Supply chain security
Map your supply chain, embed security into procurement and contracting, and assess supplier posture with evidence rather than assumptions. Supply chain compromise is a common route in and a common way out — and a critical element of modern cybersecurity risk management strategies.
The hidden multiplier: psychological safety
One of the most overlooked controls in cybersecurity is culture. If people fear repercussions, they hide mistakes. If they hide mistakes, attackers gain time. And time is what turns a containable incident into a serious breach.
A strong programme makes reporting normal, expected, and supported; in the same way a positive safety culture encourages people to raise near-misses or hazards without fear of blame.
What leaders should take away
If you’re responsible for risk, operations, compliance, or customer trust, cybersecurity is already part of your remit. The question is whether your cybersecurity risk management strategy is built around:
- today’s real threats, rather than last year’s assumptions,
- human behaviour, not wishful thinking,
- practised response, not documentation; and
- supply chain reality, not box-ticking.
No organisation can eliminate cyber risk entirely. However, you can reduce the likelihood of compromise, improve how quickly threats are identified, and strengthen your ability to recover with minimal disruption — all core outcomes of effective managing cybersecurity risk.
Strengthen your cybersecurity capability
An effective cybersecurity risk management strategy depends on people who understand the risks and know how to respond. Our professional cyber security training courses provide practical, role-specific guidance to help employees and managers recognise threats, reduce vulnerabilities and support compliance.
Explore our Cyber Security Awareness Training for Employees and Cyber Security Training for Managers to reinforce your organisation’s security culture and strengthen day-to-day risk management.
Tom Paxman
Managing Director (Digital)
