FRAMINGHAM, 10 MARCH 2011 - CSOs and CISOs may feel more pressure from a new breed of security professional - the chief information risk officer - now that the federal government has made risk management mandatory and spelled out in a new document just how risk ought to be assessed and dealt with.
While it doesn't call for overturning the authority of CSOs and CISOs, the directive from the National Institute of Standards and Technology (NIST) does call for input from higher up the corporate ladder when decisions are made about securing an organization's assets.
This push by the federal government may influence what happens in the private sector, where risk assessment is long overdue as a means to determine how information security dollars get spent, says John Pironti, president of IP Architects, a security consulting firm.
"We should do risk first, security second," Pironti says. "Security is there to meet the needs of risk."
Under the new NIST guidelines, that means creation of a risk-executive function - which may be a person or a committee - but one that takes the risk to an organization's goals into account when it decides how to deploy IT security infrastructure.
"This gives a context for how IT and information systems are deployed vs. a random build-out of the infrastructure," says Ronald Ross, one of the authors of the NIST document "Managing Information Security Risk."
The risk-executive function doesn't necessarily mean ousting people currently holding positions within IT security, it could just mean sharing of information with others within the organization. But traditional CSOs and CISOs may lack some of the skills to do the job alone.
"The "S" in CSO and CISO says it already: CSOs and CISOs are mainly concerned with security or with information security," says Urs Fischer, chairman of the risk-certification program run by ISACA, the international IT and information systems organization that offers certification in risk and information system control.
"IT-related risks actually are a lot more: IT risk is business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT-related risk management covers all IT-related risks, not limited to information security," Fischer says.
The distinction can be unclear, says Pironti, because risk is a term that's often not used precisely. To traditional network security personnel, it often means a security threat - what could happen and the likelihood that it will and the impact if it does.
Sign up for CIO Asia eNewsletters.