When the CISO segregated the duties with the CIO, how should the scope of "information security(IS)" be defined? The disaster recovery is addressed "Availability", issues, which is one of the CIA triad, and application-level vulnerability scan is for cybersecurity, so should them all be under IS management?

After 40 or 50 IS systems are implemented, should'nt we consider the effectiveness and measurability in addition to availability and efficiency? In addition, is the total cybersecurity budget only the budget of the IS unit?