At a sleepy aerospace subcontractor in the Florida panhandle, things were... quiet. Too quiet. The company, SpaceJunk Dynamics, had just landed a juicy DoD contract and was scrambling to meet CMMC Level 2 requirements. But their idea of risk management? A dusty Excel sheet last updated during the Obama administration.

Enter Evie Champ, a newly hired Security Risk Analyst with a knack for spotting trouble before it hits. Her first day on the job, she asked a simple question:

“What’s our top cyber risk?”

The answer? Crickets.

Maya knew that real risk management wasn’t about fear—it was about clarity. She started with the basics:

🔍 Step 1: Identify Assets

• Controlled Unclassified Information (CUI)

• Engineering schematics

• Remote access systems

⚠️ Step 2: Identify Threats & Vulnerabilities

• Phishing attacks

• Unpatched VPN software

• Overprivileged user accounts

📊 Step 3: Assess Risk

Using a simple risk matrix, Maya rated each risk by likelihood and impact. She aligned her findings with NIST SP 800-171 Rev 2, especially:

• 3.11.1: Periodically assess the risk to organizational operations.

• 3.11.2: Scan for vulnerabilities and remediate them.

• 3.11.3: Monitor security controls on an ongoing basis.

Maya didn’t just build a risk register—she made it actionable. She tied each risk to a mitigation plan, assigned owners, and set review dates. She also introduced:

• Quarterly tabletop exercises

• Vendor risk assessments

• A living risk dashboard for leadership

When a phishing simulation revealed that 40% of staff clicked a fake link, Maya didn’t shame anyone. She launched a gamified training campaign called “Phish & Chips,” complete with prizes and leaderboard rankings.

Three months later, a real phishing attack hit. But this time, the response was swift:

• The SOC was alerted within minutes.

• The compromised account was isolated.

• No data was exfiltrated.

Leadership was stunned. Maya just smiled and said, “That’s what risk management looks like when it works.”