It is suggested that risk management departments in companies are the appropriate location for the information security risk manager (ISRM) position with its professional standards. An empirical survey was conducted to support a proposed theory that the three academic majors (risk management, auditing, and information systems) can pursue the ISRM career path on almost equal footing, but found an apparent interdisciplinary gap. An interdisciplinary university-level course in information systems security management is thus proposed. Also suggested is the establishment of a data and knowledge base for information security risk management, to develop expert systems in a way that would fully incorporate current diverse efforts, modify or correct the past efforts, and point out future directions.<<ETX>>