What about the idea of a CISO acting as an internal insurer for the IT service?
> Company board: regulates practices, if ever needed.
+----> CEO: checks correct operation.
+----------> CIO: acts as the customer of the insurance.
+----------> CISO: acts as the insurer.
The CISO would propose an offer made of:
- Expensive insurance for inappropriately acquired or ill-maintained IT assets.
- Cheaper insurance for IT assets that are acquired and maintained according to a set a constraints.