Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.
IT Security is about securing the technology. Information Security is about securing all information that is important for the business/organisation.
Different companies or organisations have different perspectives and importance for security (be it Info Sec or IT Security) and the team alignment is set accordingly. The reporting of the security team has its influence on the security focus/posture itself most of the time.
The best practice is always to have an independent function (may not be as independent as an Audit team) and the team be empowered to have its own directives from risk management.
The CEO most of the time is the owner of the risk management in a company - (first delegation of financial risk management goes to the CFO)
Because maker and checker they are two different distinct roles. IT head is maker of information and Information security is checker of information generated. Hence it is not advisable to have Information security role to report into It head.