Where does Information Security belong?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ...., In corporate world there is a discussion about Information Technology department. I think IT departments will soon become Business Technology Support departments... Information Security has multiple branches. It makes sense to segregate operations and the security management parts. Information Security Operations definitely belongs to Information Technology. Corporate information security goals must be carried out via information security operations groups. I work with several Fortune 100 companies and this infosec operations organization type looks like the trend. On the other side, I do think that the information security policy/assurance should not be an independent discipline nor it must be related to information technology: The right place for information security is where it belongs; enterprise risk management. So that all security risks including information security can be analyzed and managed in a holistic way. Today's complex IT infrastructure makes it impossible to segregate information security from the rest of the operation risks. For me it makes sense to have an independent "Risk Management" disciple to oversee all threats. That being said, Information security based risks will form one of the core disciplines in risk management. Regards, - yinal”