Cybersecurity governance refers to the component of governance that addresses an organization’s dependence on cyberspace in the presence of adversaries. The ISO/IEC 27001 standard defines cybersecurity governance as the following:

The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.


Traditionally, cybersecurity is viewed through the lens of a technical or operational issue to be handled in the technology space. Cybersecurity planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cybersecurity as an enterprise-wide risk management issue — along with the legal implications of cyber-risks — and not solely a technology issue.

The C-suite can then set the appropriate tone for the organization, which is the cornerstone of any good governance program. Establishing the right tone at the top is much more than a compliance exercise. It ensures everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of a risk management program and security strategy.

Historically, cybersecurity was managed by implementing a solution to solve a problem or mitigate a risk. Many cybersecurity departments have technical security safeguards, such as firewalls or intrusion detection, but often lack basic cybersecurity governance policies, best practices and processes. Where they do exist, policies or processes are often outdated or ignored.

Many cybersecurity departments also have poor or inadequate cybersecurity awareness training programs that fail to address all levels of an organization. As we have learned from recent breaches, many organizations have inadequate hardening and patching programs. Poor access control practices, such as uncontrolled group passwords, shared accounts, proliferated admin privileges, shared root access and the absence of an authorization process except at a low operational level, also are problematic.


Here are six steps that can help an organization grow and sharpen its cybersecurity governance program:

  1. Establish the current state.
    • Complete a cyber-risk assessment to understand the gaps, and create a roadmap to close those gaps.
    • Complete a maturity assessment.
  2. Create, review and update all cybersecurity standards, policies and processes.
    • Many describe this as low-hanging fruit — and it is — but it is a heavy lift. Take the time needed to establish the structure and expectations of cybersecurity governance.
  3. Approach cybersecurity from an enterprise lens.
    • Understand what data needs to be protected.
    • How are the cyber-risks aligned with enterprise risk management?
    • What is the relative priority of cybersecurity investment as compared with other types of investments?
  4. Increase cybersecurity awareness and training.
    • With the rise in remote work driven by COVID-19 and the ongoing adoption of hybrid work models, we are no longer just training our internal employees. With so many people working from home and many children attending school online, it is critical that the entire family understands good cyber hygiene.
  5. Cyber-risk analytics: How are threats modeled and risks contextualized and assessed?
    • When creating the risk model, consider all the risks to your organization — external, internal and third party.
  6. Monitor, measure, analyze, report and improve.
    • This is not a one-and-done exercise. Establish regular assessment intervals, measure what matters, analyze the data and create an improvement plan.
    • Report to the board on cyber maturity and the cyber-risk posture across the organization.
Another similar six cyber security governance steps diagram:

Build Cyber Security Governance Step Example

1. Create Cybersecurity Transformation


As a first step, the current state of cybersecurity and the existing governance model should be assessed and established. This means that, beyond the assumptions that may have existed before, cybersecurity in its present state should be described “as is,” including all weaknesses and deficiencies. Typically, this includes any systemic weaknesses previously identified (see previous section) and the pain points that have triggered the need for transformation. The underlying objective is to go from the initial observation that “we cannot go on like this” to a more constructive view of existing information security governance, management and assurance. The current state review will also reveal any weaknesses in management attitudes. As described previously, neither the minimalist nor the “zero tolerance” attitude are likely to lead to success. Part of establishing the current state of cybersecurity is to identify the exact position of the enterprise in terms of attitudes, beliefs and security spending behavior. In summary, the governance model selected by the enterprise is likely to provide a lot of insight on what may have led to the, apparently unsatisfactory, current state. Taking stock in this manner may be a painful exercise. However, it is indispensable as a starting point in transforming cybersecurity. Only where weaknesses have been recognized beyond doubt, and clearly articulated, will the enterprise be able to transition to an improved way of governing cybersecurity.

Once the existing state of cybersecurity is known and fully acknowledged, the future or target state may be defined based on weaknesses and deficiencies, risk and vulnerabilities, and the extent to which the enterprise will be able to change and adapt to the trends in attacks, breaches and incidents. Where the target state is not clearly understood, it is unlikely that a transformation approach will be successful. 
Typical pitfalls include: 
 • Lack of realism—The target state is formulated as a wish list for perfection, rather than the next obvious (and stable) state of overall cybersecurity. 
 • Escalating commitment—The target state is defined as “just a little more of what we are doing now,” without incorporating the changed threat and vulnerability landscape, not to mention actual attacks and breaches. 
 • Blurred vision—The target state is defined based on wrong assumptions—e.g., where organizational management does not incorporate future trends in cybercrime and cyberwarfare. 
 • Governance model bias—The current governance model (e.g., “zero tolerance” or “we are insured”) is maintained, ignoring strong signals that it may be dysfunctional. 
 In transformation thinking, the target from a governance perspective is to identify the next stable—and, therefore, achievable—level at which cybersecurity will be able to meet the needs of stakeholders, and at which there will be a reasonable level of protection against attacks and breaches. Transforming cybersecurity is a repetitive and iterative exercise that resembles a life cycle rather than a one‐off project.
The distance between the current and future states of overall cybersecurity is subject to governance as well as management. Once the target state has been identified and defined, there are two dimensions of change that need to be planned, managed and monitored. The strategic dimension covers setting strategy, planning and implementing high‐level steps, and initiating a program and related portfolio of cybersecurity projects. The systemic dimension addresses dependencies between parts of the cybersecurity system that will have an impact on how change will be achieved and what will be the immediate and secondary effects. 
 Transforming cybersecurity in a systemic way also means that any changes will need to be examined with regard to unwelcome side effects. As an example, the deployment of an awareness program for employees may be beneficial in terms of improving vigilance and attention to detail. However, an unwelcome secondary result might be that a large number of “false positives” increases the cost of incident management and
distracts attention from real (but unobtrusive) APT attacks. More complex dependencies may exist in cybersecurity systems that will only come to light if the transformation is seen as a systemic and holistic exercise.


Information security governance in general sets the framework and boundaries for security management and related solutions. This necessarily includes formal policies, procedures and other elements of guidance that the agencies are required to follow. However, where governance in its best sense means “doing the right things,” it needs to take into account that a large part of cybersecurity is concerned with handling unexpected events and incidents.
Cybersecurity governance is both preventive and corrective. It covers the preparations and precautions taken against cybercrime, cyberwarfare and other relevant forms of attack. At the same time, cybersecurity governance determines the processes and procedures needed to deal with actual incidents caused by an attack or security breach. In this context, governance principles and provisions must be reasonably flexible to allow for the fact that attacks are often unconventional, generally against the rules, and most often designed to circumvent exactly those procedures and common understandings within the organization that keep the business running. Establish Cybersecurity governance with following six‐step approach as explained below:


  • • Determine the internal and external (usually restricted) stakeholders and their 
    interest in organizational Cybersecurity. 
  •  • Incorporate 
    confidentiality  needs and mandated  secrecy  in 
    the identification  process. 

  • Understand how cybersecurity should support overall enterprise objectives and 
    protect stakeholder interests. 
  • • Identify  reporting  requirements 
    for  communicating  and  reporting  about 
    cybersecurity (contents, detail). 
  • • Clearly 
    define and articulate instances  of  reliance 
    on  the work  of  others (for 
    external auditors). 
  •  •
    Define and formally note confidentiality and secrecy requirements for external 


  • Review legal and regulatory provisions in cybercrime and cyberwarfare 
  •  • Identify 
    the  senior  management  tolerance  level  in 
    relation  to  attacks  and  breaches. 
  • • Validate  business  needs  (express 
    and  implied)  with  regard  to  attacks 
    and  breaches

  • Identify and articulate any game changers or paradigm shifts in cybersecurity. 
  •  •
    Document systemic weaknesses in cybersecurity as regards the business and its 

  • Identify and validate strategy for cybersecurity (“zero tolerance” vs. “living with 
  •  • Identify 
    adaptability,  responsiveness  and  resilience  of 
    strategy  in  terms  of  cybersecurity attacks and breaches 
  •  • Identify 
    any  rigid/brittle  governance  elements  that 
    may  inadvertently  be 
    conducive to cybercrime and cyberwarfare (e.g., instances of over control) 

  • Define the expectations, in alignment with strategy (“zero tolerance” vs. “living 
    with it”), with regard to cybersecurity, including ethics and culture. 
  •  •
    Highlight any ethical/cultural discontinuities that exist or emerge. 
  •  • Define 
    the  target  culture  for  cybersecurity,  and 
    develop  a  cybersecurity  awareness program. 

  • Obtain management commitment for the selected strategy 




  • • Define  the  Cybersecurity 
    organizational  structure  –  an  appropriate 
    platform/committee,  in alignment with  information 
    security and information  risk functions. 
  • • Highlight  any  barriers  or 
    other  organizational  segregation  of 

  • Mandate an appropriate cybersecurity function, including incident and attack 


Roles and Responsibilities 

  • • Determine an optimal decision‐making model for cybersecurity— this may be 
    distinct and different from “ordinary” information security 

  • Define high‐level RACI (responsible, accountable, consulted, informed) model 
    for cybersecurity function, including any external resources. 

  • Consider any extended decision rights that may be applicable in crisis/ incident 
    handling situations. 
  • • Determine  cybersecurity  obligations, 
    responsibilities  and  tasks  of  other 
    organizational roles (including groups and individuals). 

  • Ensure cybersecurity participation at the steering committee level. 
  •  • Embed 
    cybersecurity  transformation  activities  in  the 
    steering  committee  agenda. 



  • • Establish  escalation  points  for 
    attacks,  breaches  and  incidents  (information 
    security, crisis management, etc.)

  • Define escalation paths for cybersecurity activities and transformational steps 
    (e.g., new vulnerabilities and threats). 
  • • Establish fast‐track/crisis mode 
    decision procedures with escalation  to senior 
  • • Identify  the  means  and 
    channels  to  communicate  cybersecurity  issues 
    and  information. 

  • Prioritize cybersecurity reporting to stakeholders by applying the principles of 
    least privilege and need‐to‐know basis. 
  • • Develop appropriate guidance for associates. 



  • Integrate, to the appropriate extent, the cybersecurity direction into the overall 
    information  security  direction,  and  highlight 
    areas  of  cybersecurity  that  are 
    deliberately kept separate and distinct. 

  • Establish interfaces between the cybersecurity function and other information 
    security roles. 
  • • Embed  cybersecurity  reporting  into 
    the  generic  reporting  methods  for 
    information security. 



  • • Determine  risk  appetite/tolerance  levels  in 
    terms  of  cybercrime  and 
    cyberwarfare attacks and breaches at the board/management level.  
  • • Align  risk  tolerance  levels  against  the 
    overall  strategy  (“zero  tolerance”  vs. 
    “living with it”). 
  •  • Compare  cybersecurity and generic information 
    security  risk  tolerance levels 
    and highlight inconsistencies.  
  • • Integrate 
    cybersecurity  risk  assessment  and  management  within 
    overall  information security management.  


  • Evaluate  the  effectiveness  of  cybersecurity 
    resources  in  comparison  with 
    information security and information risk needs. 
  •  • Validate cybersecurity resources in terms of specific goals and objectives.  
  • • Ensure  that  cybersecurity  resource  management 
    is  aligned  to  overarching 
    information security needs.  

  • Include external resource management.  


  • • Track cybersecurity outcomes and effects, particularly with a view to changes 
    in attacks/breaches/incidents. 
  • • Compare  outcomes  against 
    transformation  steps  and  milestones  – 
    (current state) and future (target state) expectations.  
  • • Integrate  cybersecurity  measurements  and 
    metrics  into  routine  compliance  check mechanisms.  

  • Evaluate threats and vulnerabilities relevant to cybersecurity, and incorporate 
    the changing threat landscape into cybersecurity strategy.  
  • • Monitor  the  risk  profile  for 
    attacks/breaches  and  the  corresponding  risk 
    appetite  to achieve optimal balance between cybersecurity 
    risk and business  opportunities.  
  • • Measure 
    the  effectiveness  of  cybersecurity 
    resources (internal  and  external)  against defined information security needs, goals and objectives. 


Cybersecurity: Governance vs Management

Cyber security governance should not be confused with cyber security management. Cyber security management is concerned with making decisions to mitigate risks; governance determines who is authorized to make decisions. Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations.

NIST describes IT governance as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.

Governance: doing the right thing.
Management: doing things right.





Authorizes decision rights

Authorized to make decisions

Enact policy

Enforce policy



Strategic planning

Project planning

Resource allocation

Resource utilization

Cyber Security : Governance vs Operation

Governance is an important topic in cybersecurity, as it describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between governance and operation (management). Those who work in governance tend to emphasize strategic planning, whereas operation (management) deals with the day-to-day operationalized approach to security. Sometimes this results in different leadership perspectives.

Making the organizational move from a divided hierarchy to one in which strategy informs operation (and operation informs strategy) is a difficult challenge. Communication is key to effectively managing expectations, messaging, and security posture throughout the process.

Detect, prioritize, and control

Operational controls – the real-life response to a cybersecurity incident – should be the focus of any security program. Managing these controls and reporting to a governance structure may not require the knowledge of operationalization, but instead may rely on an agreed-upon level of confidence in respect to risk management involving both governance and operational leadership.

In addition to working alongside governance experts, operational controls managers should measure their security posture against a framework or baseline such as the CIS Controls™ or NIST Cyber Security Framework. Conducting such an assessment is important, as understanding your organization’s compliance levels is key to finding weaknesses in the organizational controls as well as the prioritization of investment for strengthening controls.

A previous blog post discussed calculating your risk-reduction ROI; after identifying weaker controls, we can start to use this single calculation to define what provides the greatest level of return on investment as well as the greatest reduction in risk. In future blog posts, risk will be discussed with respect to quantitative analysis, using a Monte Carlo simulation to demonstrate how a single risk and control mitigation can provide an overall reduction in risk to the whole organization.

With clearer reporting and analysis of risk reduction, we can bridge the gap between governance and operational security, leading to better strategic decision making and a more unified approach to the cyber threat landscape.


Plan – Do – Check – Act model

The ICGM utilizes a Plan, Do, Check & Act (PCDA) approach that is a logical way to design a governance structure:

  • Plan. The overall GRC/IRM process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
  • Do. Arguably, this is the most important section for cybersecurity and privacy practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes how the controls are actually implemented and performed. The Secure Controls Framework (SCF) can be an excellent starting point for a control set if your organization lacks a comprehensive set of cybersecurity and privacy controls.
  • Check. In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
  • Act. This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.

cybersecurity policies standards procedures metrics

Plan – Policies & Standards

Do – Controls & Procedures

Check – Reporting & Assessments

Act – Risk Management

By netsec

Leave a Reply