How Cyber Security Actually Works

(Step by Step Series)

Most people learn cyber security through theory and certifications, but dodn’t see how it actually works inside a business or consulting company.

This series walks you through real-world processes from Roger McCluskey who works in the industry, starting with how a Security Risk Assessment (SRA) begins.

Part 1 - Security Risk Assessment (SRA) Kickoff

In this video you’ll see how a cyber security engagement actually begins and what professionals look for from day one.

This video series is practical, you can follow along and actually practice

Who this is for:

  • Want to break into cyber security

  • Are studying but unsure how it applies in real roles

  • Want to understand how to approach risk.

What is Security Risk Assessment (SRA)?

A Security Risk Assessment (SRA) is a structured process used to identify, analyse, and evaluate potential risks to an organisation’s systems, data, and business operations (internally and externally).

In Governance, Risk & Compliance (GRC) area of cyber security, it’s one of the first steps taken before implementing controls or technical operational solutions. Instead of jumping straight into tools and automated GRC platforms, professionals assess what needs to be protected, where the risks are, how those risks could impact the business.

An SRA typically involves:

  • Understanding the business (inside out including any external providers that support the delivery of the business) and its critical assets

  • Identifying potential threats and vulnerabilities (again internally and externally, technical and operational)

  • Assessing the likelihood and impact of risks

  • Prioritising which risks need to be addressed

This process helps organisations make informed decisions about security and including privacy, rather than relying on assumptions or generic checklists. Think of it like a detective assessing a crime scene.

How does a Security Risk Assessment Work in Cyber Security?

In practice, a Security Risk Assessment follows a step-by-step approach that combines both technical understanding and business context.

It usually begins with a kickoff phase, where key stakeholders are identified and initial information is gathered about the organisation, its systems, and how the business operates.

From there, professionals:

  • Gather detailed information about systems, processes, and data

  • Identify potential risks based on real-world scenarios

  • Evaluate how those risks could affect the business operations

  • Recommend appropriate controls or actions to prevent identified risks

What makes this process valuable is not just identifying risks, but understanding them in the context of the business.

This is why cyber security is not just technical. It requires strong critical thinking, clear communication (both verbal and written), and the ability to translate risk into business impact so leaders can understand it, gain buy-in, and make informed decisions.

It goes far beyond checklists and automated GRC platforms. While tools can support the process as well as speed up the process, it still requires human oversight, judgement, and an understanding of how people and organisations actually operate.

Effective cyber professionals know how to:

  • Ask better questions

  • Challenge assumptions

  • Read the room when engaging with stakeholders

  • Uncover risks that aren’t immediately obvious

Most importantly, a Security Risk Assessment is not a one-off activity. It is part of an ongoing process that helps a business stay secure, resilient, and able to adapt as it grows and evolves.

Watch Roger’s video as he dives deeper into the first step of a Security Risk Assessment where he also provides some AI prompts that you can apply and practice.

Continue the Series:

Part 2: Information Gathering (Coming Soon)

Next, Roger will show how professionals gather information during a real SRA, a critical step most courses skip.

Subscribe to Cyber Rookie YouTube channel so you don’t miss the next series.

Not sure if you could actually do this yet?

Take the free Cyber Readiness Scorecard and when completed you wll walk away with:

  • Your cyber career readiness score

  • A report highlighting where your biggest gaps are 

  • What to focus on next

  • How close you are to being job-ready

Check Your Cyber Career Readiness

Want to move from learning to actually doing?

Instead of figuring it out on your own, you can join the Cyber Rookie Skills Lab and follow a hands-on path with real-world simulated scenarios.

Secure Your Founding Seat