Network World - CSOs and CISOs may feel more pressure from a new breed of security professional - the chief information risk officer - now that the federal government has made risk management mandatory and spelled out in a new document just how risk ought to be assessed and dealt with.
While it doesn't call for overturning the authority of CSOs and CISOs, the directive from the National Institute of Standards and Technology (NIST) does call for input from higher up the corporate ladder when decisions are made about securing an organization's assets.
This push by the federal government may influence what happens in the private sector, where risk assessment is long overdue as a means to determine how information security dollars get spent, says John Pironti, president of IP Architects, a security consulting firm.
"We should do risk first, security second," Pironti says. "Security is there to meet the needs of risk."
Under the new NIST guidelines, that means creation of a risk-executive function - which may be a person or a committee - but one that takes the risk to an organization's goals into account when it decides how to deploy IT security infrastructure.
"This gives a context for how IT and information systems are deployed vs. a random build-out of the infrastructure," says Ronald Ross, one of the authors of the NIST document "Managing Information Security Risk."
The risk-executive function doesn't necessarily mean ousting people currently holding positions within IT security, it could just mean sharing of information with others within the organization. But traditional CSOs and CISOs may lack some of the skills to do the job alone.
"The "S" in CSO and CISO says it already: CSOs and CISOs are mainly concerned with security or with information security," says Urs Fischer, chairman of the risk-certification program run by ISACA, the international IT and information systems organization that offers certification in risk and information system control.
"IT-related risks actually are a lot more: IT risk is business risk — specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT-related risk management covers all IT-related risks, not limited to information security," Fischer says.
The distinction can be unclear, says Pironti, because risk is a term that's often not used precisely. To traditional network security personnel, it often means a security threat - what could happen and the likelihood that it will and the impact if it does.
Risk in the broader sense is the ability of a business to absorb and react to a threat. "Do I need to respond or not?" he says.
For example, if a Windows server is open to attack, a pure security professional might say it's a huge risk - to that server. A risk management professional would assess the impact. Would the server go down? Would all the data on it be stolen? "It may not be a real risk. It's a concern, and part of an assessment," Pironti says.
Rss Feed
The Connected Enterprise
You are previewing premium content. 
