Watch Out CISOs and CSOs: Chief Risk Officers May Be Gaining on You
CSOs and CISOs may feel more pressure from a new breed of security professional - the chief information risk officer - now that the federal government has made risk management mandatory and spelled out in a new document just how risk ought to be assessed and dealt with.
Thu, March 10, 2011
For example, if a Windows server is open to attack, a pure security professional might say it's a huge risk - to that server. A risk management professional would assess the impact. Would the server go down? Would all the data on it be stolen? "It may not be a real risk. It's a concern, and part of an assessment," Pironti says.
In large part, people who design disaster recovery and business continuity plans already understand risk, he says. Their task is to figure out what a business's most important assets are and to make them available if their primary source becomes unavailable. Those same assets are likely the ones that should be best protected, he says.
Risk assessments by vendors are often overblown because they don't take into account each business's use of their vulnerable products. For example, a bug in a security product may put data in a business division at risk, but if that division is being phased out or represents an insignificant part of revenue, the bug may not be worth fixing, Pironti says.
A common thread among risk assessment models is culling input from people with a broad range of expertise - business, legal, technical, etc. - and feeding it to a central, decision-making person or body. And it's best to cast a wide net. "It's better to treat risk identification as a brainstorm at first to build as comprehensive a list as possible — there are no wrong answers," according to a report by Forrester called "The Risk Manager's Handbook: How to Identify and Describe Risks". "You can always make a decision later to remove risks that you and your subject matter experts consider irrelevant."
As risk officers become more prevalent, people who have held top level security jobs may need to retrain if they aspire to the top risk job, Pironti says. "They're not extremely common yet. They're still being advocated for."
And the job might absorb the CISO, chief privacy officer and other jobs, a situation that might pose political roadblocks. But the position needs to be board-level in order to be effective because the person filling it needs to grasp the goals of the business in order to properly assess risk, he says.
The profile of a good risk management officer is someone who is aware of technology but not wedded to it. "It's very hard for technologists to understand risk. They think they understand the business when they really don't."
For several years he advocated that aspiring risk officers get MBAs to prepare. Now he advocates that they spend time with product-management teams to better understand business processes, what the most valuable information is and where it might be vulnerable. "The question is, 'Do you add another chief?'" he says. "How many chiefs does it take to run a business?"
Read more about wide area network in Network World's Wide Area Network section.