[abhiminator]

>We're paid to find risk and reduce risk.

There's a dedicated department that already does that in most organizations -- risk management.

One could argue that 'cybersecurity' ought to be a component of 'risk management' versus being on its own which only adds to bloated organization structure and increases bureaucratic complexity.

[genmud]

In some orgs, that is the case. In other orgs, risk management might be a functionally absent, with legal teams being reviewers of contracts and abdicating that role to outside counsel.

[surge]

Yeah, and my team and larger cyber org was under risk management, until some new exec decided to shift us under the technology org (a decision I do not agree with due to conflict of interest).

[kstrauser]

At my last shop, we were under Risk, IT, Security, and Compliance, aka RISC.