Re: When the fox runs the hen house
I can comment only on the Department of Defense and, in fact, only on one medium sized civilian agency within it. By around 2005 we had a CIO who was increasingly picky about security, and from well before that we had a chain of Information System Security Managers, Information System Security Officers, and Terminal Area Security Officers, the last an additional duty, responsible for various aspects of information assurance. Titles and specific duties changed some over the years, but as a group they were generally responsible for authorizing access and ensuring that system managers and administrators implemented the increasingly bulky set of directives and instructions, applied patches, and verified compliance with the periodically updated Security Technical Implementation Guidelines, another large set of documents, one for each OS and major service. Ultimately, they reported to the CIO who, in my agency also was the CISO.
There was not a separate budget for information assurance, but that was not the problem so much as an overall shortage of funding and staffing, combined with increasing workload to take care of the steady tightening of standards.