With new risk management guidelines for federal agencies in place, chief information security officers may be challenged by risk experts in their organizations. The developments in the government could have an impact on how the private sector deals with security and risk, reports Tim Greene at NetworkWorld.

The National Institute of Standards and Technology issued a directive, "Managing Information Security Risk," which requires organizations to appoint an individual or committee to consider risks when determining how IT security infrastructure will be implemented. "This gives a context for how IT and information systems are deployed vs. a random build-out of the infrastructure," Ronald Ross, an author of the NIST document, said.

The skills required by the traditional CISO role may not cover all of the skills needed to address the requirements because risk involves much more than network security threats, Greene reports. Risk experts may assess threats differently from the way information experts assess them, and that may shift the way IT security is deployed.

"IT risk is business risk--specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT-related risk management covers all IT-related risks, not limited to information security," said Urs Fischer, chairman of ISACA's risk-certification program.

In some organizations, the responsibilities of the chief information security officer, chief privacy officer and others could be absorbed into the new chief risk officer position. 

For another timely look at how evolving risk challenges are influencing the jobs of CIOs and CSOs, take a look at an article by Irfan Saif at CIOInsight.

For more:
- see Tim Greene's article at NetworkWorld
- see Irfan Saif's article at CIOInsight

Related Articles:
How to really know your security risks
Eight steps to risk-oriented security
Orbitz CISO's advice on managing vulnerabilities