Can you trust IT boss to run your organization’s Information Security (InfoSec)? Why Director of Marketing does not manage finances and vice versa? Both are about money as IT and InfoSec are about information. But that is all what is common in IT and InfoSec. IT professional (let’s assume that IT boss is IT professional) should know information technologies. What should InfoSec professional know? There are three cornerstones by my opinion – security technologies, information technologies and security regulations i.e. the legal side of InfoSec business. However, IT boss (usually named as CIO) is not required to know either security regulations or security technologies. Then why a person who knows only one third of InfoSec professional requirements is expected to manage security? Actually, should not according to our research, which we first discussed around 2012, then developed Pyramid Model to formally support our opinion and finally published on our site Completed Research page under the name and link The Quest for Independence - Information Security Management Pyramid.
The URL to Completed research page is www.rubos.cim/research.html and direct link to the paper is http://www.rubos.com/WebSitePapers/InfoSecMgmtPyramidFinal05172018.pdf
The size of your organization actually does not matter. If you have only a security analyst who handles all your organization security processes, give him/her direct access to the upper management level to bring concerns and recommendation to where the power and money are.