Many organizations have implicitly adopted the mistaken notion that the chief information security officer (CISO) is the de facto risk owner for all identified cyber risk matters.
In a properly run risk management program, risk owners are business unit leaders and department heads who own the business activity where a risk has been identified. For instance, if a risk is identified regarding the long-term storage of full credit card numbers in an e-commerce environment, the risk owner would be the executive who runs the e-commerce function. That executive would decide to mitigate, avoid, transfer, or accept that risk.
The role of the CISO is to operate the risk management program and facilitate discussions and risk treatment decisions, but not make those risk treatment decisions. A CISO can be considered a risk facilitator, but not a risk owner.
Even when embraced and practiced, this concept does not always stop an organization from sacking the CISO should a breach occur. A dismissal might even be appropriate, for example, if the risk management program that the CISO operated was not performing as expected.
— excerpt from CRISC Certified in Risk and Information Systems ControlTM All-In-One Exam Guide, 2nd edition.
Peter H. Gregory 