If the CISO is responsible for the security of the organization, then that same person also should be responsible for both security and IT infrastructure.