Who owns organizational risk?

Risk ownership is a very important topic and is given careful attention today in light of large-scale breaches in government and private sector information systems. In the past, many organizations viewed information security risk as being something that was the responsibility of the IT pision of an organization. While this is not, and has never been, an acceptable practice it is how many organizations effectively viewed the ownership of risk within their organization.

The issue that many organizations encounter is the concept of risk ownership versus risk management.