I listened to a nice interview on BankInfo with Steve Katz on What's it Take to be a CIRO. Unrelated, I recently had a thread with someone who's moving the information security risk management process from IT to a central Risk organization. While I'm not in a large political machine anymore, I'd still like to share my experience with folks considering this move. Plus I've never worked in a non-IT "Risk Office" but I have worked with them and I even completed a tour as an IT Auditor reporting up to Finance in the late nineties. This was before the SOx Monkeys invaded so we tried to do things like:
share implementation examples, research, and advice
help determine the risk tolerance for the business and shareholders
conduct testing where IT proper didn't have the skill set yet
(note: this is the first time I've used the term SOx Monkey. I'll define it as an auditor who provides no real value.)
I say we "tried" to do these things but mostly just to keep our job interesting. At the end of the day we were outsiders and needed to be managed accordingly. This is the heart of my post: if you're outside IT, you probably won't be invited to sit with IT and business leaders as they plan, pilot, decide, implement IT solutions. If you're a rock star who's plugged in you can pull it off. However you'll always be swimming up stream.
I've said it many times and it applies here also: the farther you get away from actually implementing IT, the less relevant you become to the business. Further, if you're acting and relying on data and metrics from other teams, you're probably adding very little value to the business.
I don't want to discourage elevating security roles but if you move your reporting relationship away from IT, please make friends and build rock solid processes.