A pet peeve of mine is when Information Security is interchanged with IT (Information Technology) Security. Over the many years working this profession, I’ve heard people, clearly working in the Information Security realm, state they work in IT Security (though their job/role dictates otherwise).
People working for a CISO (Chief Information Security Officer and not a Chief Information Technology Security Officer) cannot always tell the difference.
It is accurate to say that IT security is a component of Information Security. Sometimes a CISO is tasked with giving clarity to an IT Organization regarding their role to reduce “not my job” syndrome. Hopefully this graphic helps.
Some of the technical areas are usually absorbed into IT Operations, for example Hardware Hardening. Governance will establish that hardware must be hardened, IT Operations, will follow suit and harden as they build.
Incident response should come from everybody being vigilant and reporting what they see. The police don’t just respond to what they see themselves, but they respond to what is reported by the public.