The distinction can be unclear, says Pironti, because risk is a term that's often not used precisely. To traditional network security personnel, it often means a security threat - what could happen and the likelihood that it will and the impact if it does.
Risk in the broader sense is the ability of a business to absorb and react to a threat. "Do I need to respond or not?" he says.
For example, if a Windows server is open to attack, a pure security professional might say it's a huge risk - to that server. A risk management professional would assess the impact. Would the server go down? Would all the data on it be stolen? "It may not be a real risk. It's a concern, and part of an assessment," Pironti says.
In large part, people who design disaster recovery and business continuity plans already understand risk, he says. Their task is to figure out what a business's most important assets are and to make them available if their primary source becomes unavailable. Those same assets are likely the ones that should be best protected, he says.
Risk assessments by vendors are often overblown because they don't take into account each business's use of their vulnerable products. For example, a bug in a security product may put data in a business division at risk, but if that division is being phased out or represents an insignificant part of revenue, the bug may not be worth fixing, Pironti says.
A common thread among risk assessment models is culling input from people with a broad range of expertise - business, legal, technical, etc. - and feeding it to a central, decision-making person or body. And it's best to cast a wide net. "It's better to treat risk identification as a brainstorm at first to build as comprehensive a list as possible — there are no wrong answers," according to a report by Forrester called "The Risk Manager's Handbook: How to Identify and Describe Risks". "You can always make a decision later to remove risks that you and your subject matter experts consider irrelevant."
As risk officers become more prevalent, people who have held top level security jobs may need to retrain if they aspire to the top risk job, Pironti says. "They're not extremely common yet. They're still being advocated for."
And the job might absorb the CISO, chief privacy officer and other jobs, a situation that might pose political roadblocks. But the position needs to be board-level in order to be effective because the person filling it needs to grasp the goals of the business in order to properly assess risk, he says.