Welcome to The Cove Ahmed!
If an IT strategy is robust and carried out effectively, I see no reason to be concerned about its being integrated with the corporate company strategy. In fact, I would be more worried if IT was in a world by itself and not given the attention and support it needs from top management.
Similarly, I do not worry about IT being under the financial department as long as it is adequately resourced.
The fortiGate product is a proprietary solutions package by Fortinet. It is critical for a robust IT strategy to address external risks through firewalls, and I am not IT so I cannot remark on it specifically, but I saw good reviews about it in three different internet sources. The risks I see with proprietary products is the chance that the company will be sold, merge or cease operations, thus potentially stopping support for the product and leaving its users with the need to migrate to new systems with great disruption. Lotus Notes is an example. Fortinet's value is trending very favorably on
Forbes, which may mean it is in good shape or it is a ripe target for purchase. We cannot know which without more research.
Certainly the site's description of the fortiGate product seems comprehensive in its technical features. I would be interested to see how thoroughly the fortiGate features and services are implemented, tested and maintained. For example: has anyone tried out the backups by deleting a test file, then retrieving it via the service and its customer support? During an internal audit of IT I once tried to get Google to tell us how we would retrieve one of our Google Docs if it vanished. They sent us a flyer describing how they had backups in x number of global places for safety, but never told us how we would go about retrieving our lost data. Who does one call? Google? Maybe by now they have made this customer support need more readily available, but none of my 3rd party audit clients using Google Docs were able to tell me either. That looks like risk to me. Additionally, if the organization is using a mirrored server I would be interested to learn if they ran tests to see how well and how quickly they could recover if the main server is lost or shut down unexpectedly.
Lastly but perhaps most importantly is how the organization's employees understand and fulfill their responsibilities, for example to not be victimized by phishing. People continue to be the weak link in the IT security chain. I would ask about phishing training and drills too.
I hope this helps.
