Sign in Subscribe
6 min read risk

From Risk to a Running Program

Most security programs don’t fail from lack of effort they fail from lack of risk anchoring. This post ties it all together: define risk (800-30), execute with intent (CSF, 800-53, 800-37), scale with governance (800-39), and apply the same discipline to AI. Risk first. Always.
From Risk to a Running Program
Photo by Louie Martinez / Unsplash

This post includes a practical checklist to bootstrap and scale a risk-driven security program.

This series started with a simple premise: Most security programs don’t fail because teams aren’t working hard. They fail because the work isn’t anchored to risk.

Over the last few posts, we built a practical path from risk discovery to execution without turning security into theater, and without requiring enterprise-scale process on day one.

This final post is a roll-up:

  • A quick recap of Blogs 1–4
  • A practical checklist you can use immediately
  • An as you grow section for SP 800-39 so the program scales cleanly
  • Applying the NIST AI Risk Management Framework (AI RMF)

What We Built in Posts 1–4

Post 1: Why Risk Must Come First

Security exists to reduce uncertainty around bad outcomes. Without risk anchoring, security becomes a collection of tasks instead of a program.

You also saw why I intentionally flipped the “classic” NIST order for small-to-mid organizations: 800-30 → 800-37 → 800-39

Because you can’t govern risks you haven’t seen, or prioritize controls without understanding impact.

Post 2: Understanding the Risk You Have

You don’t need to inventory the universe. Start with 3–5 foundational risks that are always present: identity compromise, access creep, patching gaps, recovery failure, data exposure.

The core skill: writing risk statements with precision, not verbosity.

Post 3: The Risk Register

This is where risk becomes operational:

  • consistent scoring (simple beats perfect)
  • clear owners
  • explicit treatment decisions
  • a record of tradeoffs

A risk register isn’t bureaucracy. It’s how execution becomes intentional.

Post 4: Turning Risk into Security Work

This is the translation layer:

  • CSF 2.0 provides outcome structure
  • 800-53 provides safeguards (controls are not goals)
  • 800-37 provides lifecycle discipline

And importantly: risk drives the target maturity state so you stop arguing opinions and start prioritizing based on documented exposure.

The Checklist

A practical Do This Next path for small-to-mid organizations – use this as a minimal, workable program you can run in the real world.

  1. Establish Your Risk Backbone
    1. Goal: a small, defensible list of risks you can stand behind
      1. Choose a risk statement format and enforce it
      2. Identify 3-5 foundational risks (start small)
      3. Define your likelihood and impact scales (simple is fine)
      4. Score consistently and define decision authority based on risk level
  2. Build a Living Risk Register
    1. Goal: risk becomes visible, trackable, and discussable
      1. Assign an owner to each risk
      2. Choose a treatment approach (mitigate / accept / transfer / avoid)
      3. Create a review cadence (monthly/quarterly pick one and stick to it)
      4. Link risks to work
  3. Translate Risk into Outcomes with CSF 2.0
    1. Goal: an outcome driven roadmap that is coherent and easy to explain
      1. Map each top risk to CSF functions and outcomes (don’t overdo it)
      2. Establish maturity scoring (current vs target)
      3. Use risk severity to justify target maturity
  4. Select Controls with Intent with 800-53 Rev. 5
    1. Goal: safeguards that exist for a reason, tied to a documented risk
      1. Identify 1–3 control families per risk
      2. Select a small set of controls that close the maturity gaps
      3. Define what “implemented” means for controls
  5. Run the Lifecycle with 800-37
    1. Goal: lifecycle closes risk drives work, and monitoring informs reassessment
      1. Implement controls with ownership
      2. Assess effectiveness (lightweight is fine)
      3. Monitor continuously (even if continuous starts as monthly or manually)

As You Grow: Where SP 800-39 Comes In

At small scale, you can manage risk within the security function. At larger scale, risk must become enterprise language.

This is the role of NIST SP 800-39.

SP 800-39 formalizes risk management across three tiers:

  • Tier 1: Organization: risk appetite, governance, executive oversight
  • Tier 2: Business Process: priorities, investment alignment, operational risk decisions
  • Tier 3: Systems: controls, implementation, technical execution

So when do you formally lean into 800-39? Usually when one or more of these begin to happen, signaling that risk has outgrown the security team:

  • The board starts asking for formal risk appetite statements.
  • Business leaders want to understand tradeoffs between growth and control investment.
  • Security decisions begin to impact revenue, product timelines, or customer commitments.
  • Different business units begin interpreting risk differently.
  • You find yourself saying, “Security doesn’t own that risk,” but there’s no clear owner.

The discipline you developed at Tier 3 with clear risk statements, consistent scoring, lifecycle execution becomes the foundation for enterprise alignment. As the organization scales, you are able to backfill Tier 1 and Tier 2 governance:

  • Risk appetite becomes explicit (what outcomes are unacceptable?)
  • Business leaders become risk owners (not just security)
  • KPIs become enterprise KPIs (not only security activity metrics)
  • Security becomes the translator and operator—not the sole owner

Everything you built in this series starts at Tier 3 and grows upward.

Applying This to AI

Start with Understanding the Risk You Have (Post 2). AI does not change the fundamentals of risk. It changes the shape of exposure. The right starting point is the same discipline we practiced earlier:

There is a risk that [what could go wrong] due to [how it could happen], resulting in [business impact].

Apply that to AI. Some examples:

  • There is a risk that sensitive customer data could be exposed due to improper prompt handling in an AI assistant, resulting in regulatory and contractual impact.
  • There is a risk that AI-generated content could produce harmful or inaccurate outputs due to insufficient evaluation controls, resulting in reputational damage.
  • There is a risk that proprietary data could be incorporated into third-party models due to misconfigured integrations, resulting in intellectual property loss.

Notice that these aren't AI issues, per se. They are business risks expressed through AI systems. Once you've identified the risks, add them to the risk register, score them the same way, assign owners, and define unacceptable outcomes. Then the NIST AI RMF becomes useful and plugs into the existing risk program.

The AI RMF introduces four functions:

  • Govern (aligns with SP 800-39 thinking)
  • Map (aligns with risk discovery Post 2)
  • Measure (aligns with scoring and evaluation)
  • Manage (aligns with RMF lifecycle execution in SP 800-37)

AI is not a new risk program; rather it is a new domain. If your foundational program is sound, AI risk enters the same register, follows the same scoring discipline, and is mitigated through the same control lifecycle. The practical take away is that you should inventory AI use cases, write 3-5 risk statements, score them, identify unacceptable outcomes, and assign owners to mitigate those risks using controls.

Final Thought

The goal was never to build a perfect risk model. It was to build a program that makes better decisions. If you can consistently answer:

  • What could go wrong?
  • How likely is it?
  • What are we doing about it?
  • Who owns decisions?

You're running a risk-driven security program.

NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments

Purpose: Detailed guidance for performing risk assessments and identifying threats, vulnerabilities, likelihood, and impact, and communicating results in a repeatable way.

Why it matters: This is the practical how-to behind risk discovery and the risk register: prepare → assess → communicate → maintain.

Download / View SP 800-30 Rev. 1 (PDF)

NIST SP 800-37 Rev. 2 — Risk Management Framework (RMF)

Purpose: Defines a lifecycle approach for integrating security/privacy risk into system operations and connecting risk assessment to control selection, implementation, assessment, authorization, and continuous monitoring.

Why it matters: RMF is how you keep the program from becoming a one-time sprint. It closes the loop: risk drives control selection, and monitoring drives reassessment.

Download / View SP 800-37 Rev. 2 (PDF)

NIST SP 800-39 — Managing Information Security Risk (Enterprise View)

Purpose: Organization-wide risk management guidance across three tiers: organization, mission/business process, and information system.

Why it matters: This is the as you grow blueprint and explains how risk becomes enterprise governance and how security risk becomes business risk language.

Download / View SP 800-39 (PDF)

NIST CSF 2.0 — The NIST Cybersecurity Framework

Purpose: A cross-industry framework of outcome-based cybersecurity functions (including the new, first-class Govern function) to help organizations manage and communicate cybersecurity risk.

Why it matters: CSF is the translation layer between risk and a coherent, balanced security program and it helps you organize what outcomes you need, without prescribing specific controls.

View CSF 2.0 (final) (web page)

Download CSF 2.0 (PDF)

CSF Tools Website

NIST SP 800-53 Rev. 5 — Security and Privacy Controls

Purpose: The control catalog organized into families covering safeguards for both security and privacy risk.

Why it matters: CSF describes outcomes. 800-53 describes safeguards you can select to achieve those outcomes. Controls are risk responses, not goals.

CSRC landing page (includes updates/resources)

Download / View SP 800-53 Rev. 5 (PDF)

CSF Tools Website

NIST AI RMF 1.0 — Artificial Intelligence Risk Management Framework

Purpose: A voluntary framework to manage AI risks using four functions: Govern, Map, Measure, Manage and is designed for organizations building, buying, deploying, or operating AI.

Why it matters: It gives you a common structure for AI risk so AI doesn’t become an exception outside your security and risk program.

Download / View AI RMF 1.0 (PDF)

AI RMF main page (hub)

View the AI RMF Playbook

RMF Publications Hub

NIST AI 600-1 — Generative AI Profile (Companion to AI RMF)

Purpose: A GenAI-specific profile that maps AI RMF concepts to generative AI risk considerations and suggested actions.

Why it matters: If your AI risk work includes GenAI (most does now), this profile helps you focus on GenAI-shaped risks without reinventing your own taxonomy.

Download / View NIST AI 600-1 (PDF)

NIST SP 800-53A Rev. 5 — Assessment Procedures

Purpose: Procedures for assessing whether controls are implemented correctly and operating as intended.

Download / View NIST SP 800-53A Rev. 5 (PDF)

NIST SP 800-53B — Control Baselines

Purpose: Baselines (low/moderate/high + privacy) and tailoring guidance to help choose a starting control set.

Download / View SP 800-53B (PDF)

Published by:

Brian W.

You might also like...

19
Feb

Turning Risk into Security Work

7 min read
02
Feb

The Risk Register - Making Risk Actionable

7 min read
28
Jan

Understanding the Risk you Have

5 min read
26
Jan

It starts with Risk - Leveling up with NIST

5 min read