Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad–hoc decision making that undermines governance.
Besides the small introduction, subscribers and consulting clients within this management domain have access to:
This storyboard will take you through the steps to develop a security governance and management model and implement essential governance processes.
This tool will help you determine governance and management accountabilities and responsibilities and use them to build a visual governance and management model.
This template will help you to implement or revise your organizational structure.
These templates will help you determine the role a steering committee will play in your governance and management model.
Once this governing document is customized, ensure the appropriate security policies are developed as well.
These templates will serve as the foundation of your security policy exception approval processes.
Many security leaders complain about a lack of governance and management in their organizations. They have policies and processes but find neither have had the expected impact and that the organization is teetering on the edge of lawlessness, with stakeholder groups operating in ways that interfere with each other (usually due to poorly defined accountabilities).
Among the most common examples is security's relationship to the business. When these groups don't align, they tend to see each other as adversaries and make decisions in line with their respective positions: security endorses one standard, the business adopts another.
The consequences of this are vast. Such an organization is effectively opposed to itself. No wonder policy and process have not resolved the issue.
At a practical level, good governance stems from understanding how different stakeholder groups interact, providing inputs and outputs to each other and modeling who is accountable for what. But this implied accountability model needs to be formalized (perhaps even modified) before governance can help all stakeholder groups operate as strategic partners with clearly defined roles, responsibilities, and decision-making power. Only when policies and processes reflect this will they serve as effective tools to support governance.
Logan Rohde
Senior Research Analyst, Security & Privacy
Info-Tech Research Group
Your Challenge | Common Obstacles | Info-Tech's Approach |
Ineffective governance and management processes, if they are adopted at all, can lead to:
|
Most governance and management initiatives stumble because they do not address governance as a set of interactions and influences that stakeholders have with and over each other, seeing it instead as policy, process, and risk management. Challenges include:
| You will be able to establish a robust governance model to support the current and future state of your organization by accounting for these three essential parts:
|
Info-Tech Insight
Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.
This blueprint will solve the above challenges by helping you model your organization's governance structure and implement processes to support the essential governance areas: policy, risk, and performance metrics.
Percentage of organizations that have yet to fully advance to a maturity-based approach to security
70%
Source: McKinsey, 2021
Early adopter infrastructure
63%
Security leaders not reporting to the board about risk or incident detection and prevention.
Source: LogRhythm, 2021
46%
Those who report that senior leadership is confident cybersecurity leaders understand business goals.
Source: LogRhythm, 2021
Governance is often mistaken for an organization's formalized policies and processes. While both are important governance supports, they do not provide governance in and of themselves.
For governance to work well, an organization needs to understand how stakeholder groups interact with each other. What inputs and outputs do they provide? Who is accountable? Who is responsible? These are the questions one needs to ask before designing a governance structure. Failing to account for any of these three elements tends to result in overlap, inefficiency, and a lack of accountability, creating flawed governance.
"Information security governance is the guiding hand that organizes and directs risk mitigation efforts into a business-aligned strategy for the entire organization."
Steve Durbin,
Chief Executive,
Information Security Forum, Forbes, 2023
Info-Tech's Governance and Management research uses the logic of COBIT's governance and management framework but distills this guidance into a practical, easy-to-implement series of steps, moving beyond the rudimentary logic of COBIT to provide an actionable and personalized governance model.
The distinction that COBIT draws between governance and management is roughly equivalent to that of accountability and responsibility, as seen in the RACI* model.
There can be several stakeholders responsible for something, but only one party can be accountable.
Use this guidance to help determine the accountabilities and responsibilities of your governance and management model.
*Responsible, Accountable, Consulted, Informed
A security governance framework is a system that will design structures, processes, accountability definitions, and membership assignments that lead the security department toward optimal results for the business.
Governance is performed in three ways:
1 Evaluate | 2 Direct | 3 Monitor |
---|---|---|
For governance to be effective it must account for stakeholder interests and business needs. Determining what these are is the vital first step. | Governance is used to determine how things should be done within an organization. It sets standards and provides oversight so decisions can be made during day-to-day management. | Governance needs change and inefficiencies need to be revised. Therefore, monitoring key performance indicators is an essential step to course correct as organizational needs evolve. |
"Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations."
- EDUCAUSE
Specific
Measurable
Achievable
Relevant
Time-Bound
Examples |
Security's risk analyses will be included as part of the business decision-making process within three months after completing the governance initiative. |
Increase rate of security risk analysis using risk appetite within three months of project completion. |
Have stakeholder engagement supply input into security risk-management decisions within three months of completing phase one of blueprint. |
Reduce time to approve policy exceptions by 25%. |
Reduce security risk related to policy non-compliance by 50% within one year. |
Develop five KPIs to measure progress of governance and management within three months of completing blueprint. |
1. Design Your Governance Model | 2. Implement Essential Governance Processes | |
---|---|---|
Phase Steps |
|
|
Phase Outcomes |
|
|
The key is in stakeholder interactions, not policy and process
Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.
Policy, process, and org. charts support governance but do not produce it on their own
To be effective, these things need to be developed with the accountabilities and influence of the organizational functions that produce them.
A lack of business alignment does not mean you're doomed to fail
While the highest levels of governance maturity depend on strong security-business alignment, there are still tactics one can use to improve governance.
All organizations have governance
Sometimes it is poorly defined, ineffective, and occurs in the same place as management, but it exists at some level, acting as the decision-making apparatus for an organization (i.e. what can and cannot occur).
Risk tolerances are variable across lines of business
This can lead to misalignments between security and the business, as each may have their own tolerance for particular risks. The remedy is to understand the risk appetite of the business and allow this to inform security risk management decisions.
Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:
Security Governance Model Tool
Security Governance Organizational Structure Template
Information Security Steering Committee Charter & RACI
Policy Exceptions-Handling Workflow
Policy Exception Tracker and Request Form
Key deliverable:
By the end of this blueprint, you will have created a personalized governance model to map your stakeholders' accountabilities, responsibilities, and key interactions.
IT Benefits | Business Benefits |
---|---|
|
|
DIY Toolkit | Guided Implementation | Workshop | Consulting |
---|---|---|---|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." | "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." | "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." | "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project." |
Diagnostics and consistent frameworks are used throughout all four options.
Phase 1 | Phase 2 | |||
---|---|---|---|---|
Call #1: Scope requirements, objectives, and your specific challenges. | Call #2: Determine governance requirements. Call #3: Review governance model. |
Call #4: Determine KPIs. Call #5: Stand up steering committee. |
Call #6: Set risk appetite. Call #7: Establish policy lifecycle. |
Call #8: Revise exception-handing process. |
A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 4 to 8 calls over the course of 2 to 3 months.
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Activities | Evaluate | Direct | Monitor | Implement Essential Governance Processes | Next Steps and Wrap-Up (offsite) |
1.1 Prioritize governance accountabilities 1.2 Prioritize management responsibilities 1.3 Evaluate organizational structure |
2.1 Align with business 2.2 Build security governance and management model 2.3 Visualize security governance and management model |
3.1 Develop governance and management KPIs | 4.1 Draft steering committee charter 4.2 Complete steering committee RACI 4.3 Draft qualitative risk statements 4.4 Define policy management lifecycle 4.5 Establish policy exception approval process |
5.1 Complete in-progress deliverables from previous four days 5.2 Set up review time for workshop deliverables and to discuss next steps |
|
Deliverables |
|
|
|
|
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Workshop Day 1 and Day 2
Security Governance and Management
Workshop Day 3 and Day 4
Security Strategy Gap Analysis or Security Program Design Factors
Phase 1
1.1 Evaluate
1.2 Direct
1.3 Monitor
Phase 2
2.1 Implement Oversight
2.2 Set Risk Appetite
2.3 Implement Policy lifecycle
Establish Security Governance & Management
This phase will walk you through the following activities:
This phase involves the following participants:
Activities
1.1.1 Prioritize governance accountabilities
1.1.2 Prioritize management responsibilities
1.1.3 Evaluate current organizational structure
This step involves the following participants:
Outcomes of this step
Design Your Governance Model
Step 1.1 > Step 1.2 > Step 1.3
Element | Questions |
Compliance | What voluntary or mandatory standards must be represented in my governance model? |
Legal | What laws are the organization accountable to? Who is the accountable party? |
Business needs | What does the business need to operate? What sort of informational or operational flows need to be accounted for? |
Culture | How does the business operate? Are departments siloed or cooperative? Where does security fit in? |
Decision-making process | How are decisions made? Who is involved? What information needs to be available to do so? |
Willingness to be governed | Is the organization adverse to formal governance mechanisms? Are there any opportunities to improve alignment with the business? |
Relevant trends | Are there recent developments (e.g. new privacy laws) that are likely to affect the organization in the future? Will this complicate or simplify governance modeling efforts? |
Stakeholder interests | Who are the internal and external stakeholders that need to be represented in the governance model? |
The above is a summary of COBIT 2019 EDM01.01 Evaluate the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.
1-2 hours
Using the example on the next slide, complete the following steps.
Download the Security Governance Model Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1 hours
Using the examples on the previous slide, complete the following steps.
Download Security Governance Model Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1-3 hours
Download the Security Governance Organizational Structure Template
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Download the Security Governance Organizational Structure Template
Activities
1.2.1 Align with the business
1.2.2 Build security governance and management model
1.2.3 Finalize governance and management model
This step involves the following participants:
CISO
CIO
Business representative
Outcomes of this step
Design Your Governance Model
Step 1.1 > Step 1.2 > Step 1.3
Element | Questions |
Business alignment | Do we have a full understanding of the business's approach to risk and security's role to support business objectives? |
Organizational security process | How well do our current processes work? Are we missing any key processes? |
Steering committee | Will we use a dedicated steering committee to oversee security governance, or will another stakeholder assume this role? |
Security awareness | Does the organization have a strong security culture? Does an effort need to be made to educate stakeholder groups on the role of security in the organization? |
Roles and responsibilities | Does the organization use RACI charts or another system to define roles and document duties? |
Communication flows | Do we have a good understanding of how information flows between stakeholder groups? Are there any gaps that need to be addressed (e.g. regular board reporting)? |
The above is a summary of COBIT 2019 EDM01.02 Direct the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.
1-3 hours
Info-Tech Insight
A lack of business participation does not mean your governance initiative is doomed. From this lack, we can still infer their attitudes toward security governance, and we can account for this in our governance model. This may limit the maturity your program can reach, but it doesn't prevent improvements from being made to your current security governance.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1-2 hours
Using the example on the next slide, complete the following steps:
Note: You may wish to review Info-Tech's governance model templates before completing this activity to get an idea of what you'll be working toward in this step. See slides 37-38.
Download Security Governance Model Tool
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
1-2 hours
Note: You do not have to use these templates. If you prefer, you can use them as inspiration and design your own model.
Download Security Governance Model Templates
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Activities
1.3.1 Develop governance and management KPIs
This step involves the following participants:
Outcomes of this step
Key performance indicators
Design Your Governance Model
Step 1.1 > Step 1.2 > Step 1.3
Element | Questions |
Metrics | Does the organization have a well-developed metrics program or will this need to be taken up as a separate effort? Have we considered what outcomes we are hoping to see as a result of implementing a new governance and management model? |
Existing and emerging threats | What has changed or is likely to change in the future that may destabilize our governance program? What do we need to do to mitigate any security risks to our organizational governance and management? |
The above is a summary of COBIT 2019 EDM01.03 Monitor the governance system, along with Info-Tech-recommended questions to contextualize each element for your organization.
1-2 hours
This activity is meant to provide a starting point for key governance metrics. To develop a comprehensive metrics program, see Info-Tech's Build a Security Metrics Program to Drive Maturity blueprint.
Note: Try to phrase each KPI using percents, which helps to add context to the metric and will make it easier to explain when reporting metrics in the future.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Desired Outcome | Success Criteria | Possible KPI |
Security team is consulted before critical business decisions are made | The business evaluates Security's recommendations before starting new projects | % of critical business decisions with Security consultation |
Greater alignment over risk appetite | The business does not take on initiatives with excessive security risks | % of incidents stemming from not following Security's risk management recommendations |
Reduced number of policy exceptions | Policy exceptions are only granted when a clear need is present and a formal process is followed | % of incidents stemming from policy exceptions |
Improved policy adherence | Policies are understood and followed throughout the organization | % of incidents stemming from policy violations |
Baseline metrics will be improved through:
Metric | Current | Goal |
% of critical business decisions with Security consultation | 20% | 100% |
% of incidents stemming from not following Security's risk management recommendations | 65% | 0% |
% of incidents stemming from policy exceptions | 35% | 5% |
% of incidents stemming from policy violations | 40% | 5% |
% of ad hoc decisions made (i.e. not accounted for by governance model | 85% | 5% |
% of accepted security risks evaluated against risk appetite | 50% | 100% |
% of deferred steering committee decisions (i.e. decisions not made ASAP after issue arises) | 50% | 5% |
% of policies approved within target window (e.g. 1 month) | 20% | 100% |
Phase 1
1.1 Evaluate
1.2 Direct
1.3 Monitor
Phase 2
2.1 Implement Oversight
2.2 Set Risk Appetite
2.3 Implement Policy Lifecycle
This phase will walk you through the following activities:
This phase involves the following participants:
Establish Security Governance & Management
Activities
2.1.1 Draft steering committee charter
2.1.2 Complete steering committee RACI
This step involves the following participants:
Outcomes of this step
Steering Committee Charter and RACI
Implement Essential Governance Processes
Step 2.1 > Step 2.2 > Step 2.3
1-3 hours
This activity is meant to provide a starting point for your steering committee. If a more comprehensive approach is desired, see Info-Tech's Improve Security Governance With a Security Steering Committee blueprint.
Download Information Security Steering Committee Charter
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Example steering committee
CISO
CRO
Internal Audit
CIO
Business Leaders
HR
Legal
Strategic Oversight | Policy Governance |
---|---|
|
|
Risk Governance | Monitoring and Reporting |
---|---|
|
|
1-3 hours
Note: All tasks must have accountability and responsibility assigned (sometimes a single stakeholder is accountable and responsible). However, not all tasks will have someone consulted or informed.
Download Information Security Steering Committee RACI Chart
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Activities
2.2.1 Draft qualitative risk statements
This step involves the following participants:
Outcomes of this step
Qualitative risk appetite
Implement Essential Governance Processes
Step 2.1 > Step 2.2 > Step 2.3
Setting risk appetite is a key governance function, as it structures how your organization will deal with the risks it will inevitably face - when they can be accepted, when they need to be mitigated, and when they must be rejected entirely.
It is important to note that risk appetite and risk tolerance are not the same. Risk appetite refers to the amount of risk the organization is willing to accept as part of doing business, whereas risk tolerance has more to do with individual risks affecting one or more lines of business that exceed that appetite. Such risks are often tolerated as individual cases that can be mitigated to an acceptable level of risk even though it exceeds the risk-appetite threshold.
1-3 hours
This activity is meant to provide a starting point for risk governance. To develop a comprehensive risk-management program, see Info-Tech's Combine Security Risk Management Components Into One Program blueprint.
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Activities
2.3.1 Model your policy lifecycle
2.3.2 Establish exception-approval process
This step involves the following participants:
Outcomes of this step
Policy lifecycle
Exceptions-handling process
Implement Essential Governance Processes
Step 2.1 > Step 2.2 > Step 2.3
1-3 hours
This activity is meant to provide a starting point for policy governance. To develop a comprehensive policy-management program, see Info-Tech's Develop and Deploy Security Policies blueprint.
Download the Security Policy Lifecycle Template
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
The security policy lifecycle is an integral component of the security policy program and adds value by:
Diagram inspired by: ComplianceBridge, 2021
1-3 hours
Download the Security Policy Exception Approval Workflow
Download the Security Policy Exception Tracker
Input | Output |
---|---|
|
|
Materials | Participants |
|
|
Before granting an exception:
Sources: University of Virginia; CIS
You have now established a formal governance model for your organization - congratulations! Building this model and determining stakeholders' accountabilities and responsibilities is a big step.
Remember to continue to use the evaluate-direct-monitor framework to make sure your governance model evolves as organizational governance matures and priorities shift.
If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.
Contact your account representative for more information.
workshops@infotech.com
1-888-670-8889
To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
The following are sample activities that will be conducted by Info-Tech analysts with your team:
Build Governance Model
Build a customized security governance model for your organization.
Develop policy lifecycle
Develop a policy lifecycle and exceptions-handling process.
Build an Information Security Strategy
Design a Business-Focused Security Program
Combine Security Risk Management Components Into One Program
Michelle Tran
Consulting Industry
One anonymous contributor
Durbin, Steve. "Achieving The Five Levels Of Information Security Governance." Forbes, 4 Apr. 2023. Accessed 4 Apr. 2023.
Eiden, Kevin, et al. "Organizational Cyber Maturity: A Survey of Industries." McKinsey & Company, 4 Aug. 2021. Accessed 25 Apr. 2023.
"Information Security Exception Policy." Center for Internet Security, 2020. Accessed 14 Apr. 2023.
"Information Security Governance." EDUCAUSE, n.d. Accessed 27 Apr. 2023.
ISACA. COBIT 2019 Framework: Governance and Management Objectives. GF Books, 2018.
Policies & Procedures Team. "Your Policy for Policies: Creating a Policy Management Framework." ComplianceBridge, 30 Apr. 2021. Accessed 27 Apr. 2023.
"Security and the C-Suite: Making Security Priorities Business Priorities." LogRhythm, Feb. 2021. Accessed 25 Apr 2023.
University of Virginia. "Policy, Standards, and Procedures Exceptions Process." Information Security at UVA, 1 Jun. 2022. Accessed 14 Apr. 2023