I assume the enterprises with 20 or more security vendors have created a siloed approach to protection, i.e. many of these tools are overlapping and do not work together. Is a holistic approach the answer and who has that?
The authority of the IT Department can only be confirmed as it delivers cost effective services in a time to market perspective to the business lines in order to deliver to the set business objectives and strategy, to authoritively impose non adapted technology soltions on the business will not.
The fact that we often find up to 4/5ths of the IT Spend hidden in the budgets of the Business Lines might give a hint.
See also by Kaplan and Norton Managing the Management system and Managing alliances with the balanced scorecard.
Where the balance score card is an excellent opportunity to capture and “steer” the direction of a Company / LoB / department / activity the exercise tend to become an objective in itself (see http://pscommunicate.com/blog/2011/02/20/ea-does-not-matter/ ) where it should depict the roadmap on how to deliver to the business (IT) strategy (and in the same direction).
When asked to Run IT as a Service business the first step we took was to rought out cost, consumption, chargeback and the services that the IT Department were to deliver to the business.
The second step was to clearly separate the IT Business Model and Value proposition 1) this is how we “Deliver IT services to the business through an Effective IT Business Model”, 2) as we “Support business objectives with services in a time to market perspective with a clear Business (IT) Value Proposition”.