Get Instant Access
to This Blueprint

Security icon

Establish Effective Security Governance & Management

The key is in stakeholder interactions, not policy and process.

  • The security team is unsure of governance needs and how to manage them.
  • There is a lack of alignment between key stakeholder groups
  • There are misunderstandings related to the role of policy and process.

Our Advice

Critical Insight

Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad–hoc decision making that undermines governance.

Impact and Result

  • The first phase of this project will help you establish or refine your security governance and management by determining the accountabilities, responsibilities, and key interactions of your stake holder groups.
  • In phase two, the project will guide you through the implementation of essential governance processes: setting up a steering committee, determining risk appetite, and developing a policy exception-handling process.

Establish Effective Security Governance & Management Research & Tools

1. Establish Effective Security Governance and Management Deck – A step-by-step guide to help you establish or refine the governance model for your security program.

This storyboard will take you through the steps to develop a security governance and management model and implement essential governance processes.

This project will involve evaluating your governance and management needs, aligning with the business, and building a model based on these inputs.

2. Design Your Governance Model – A security governance and management model to track accountabilities, responsibilities, stakeholder interactions, and the implementation of key governance processes.

This tool will help you determine governance and management accountabilities and responsibilities and use them to build a visual governance and management model.

3. Organizational Structure Template – A tool to address structural issues that may affect your new governance and management model.

This template will help you to implement or revise your organizational structure.

4. Information Security Steering Committee Charter & RACI – Templates to formalize the role of your steering committee and the oversight it will provide.

These templates will help you determine the role a steering committee will play in your governance and management model.

5. Security Policy Lifecycle Template – A template to help you model your policy lifecycle.

Once this governing document is customized, ensure the appropriate security policies are developed as well.

6. Security Policy Exception Approval Process Templates – Templates to establish an approval process for policy exceptions and bolster policy governance and risk management.

These templates will serve as the foundation of your security policy exception approval processes.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.8/10


Overall Impact

$50,899


Average $ Saved

24


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Donor Network West

Guided Implementation

10/10

$12,999

5

getting expert understanding in this space is very important to our organization. worst part is when the models don't have clear definition on the ... Read More

ATS CORPORATION

Guided Implementation

10/10

$25,000

20

Fritz Jean-Lois provided valuable guidance in quickly developing our security governance and management plan to support our goal of maturing the se... Read More

Sage Therapeutics

Workshop

10/10

N/A

N/A

The workshop was very insightful and I enjoyed the workshop immensely. Working through the charters and learning how to maximize our use of the to... Read More

NMB BANK PLC.

Guided Implementation

10/10

$12,599

50

The best experience was when Logan was explaining to me different options available with infotech, that opened my eyes for change of direction on m... Read More

The University Of Manchester

Guided Implementation

9/10

$152K

20

Wonder Brands Inc.

Guided Implementation

8/10

N/A

5

DAI Global, LLC

Guided Implementation

9/10

$12,399

5

I very much appreciate the knowledgeable experts who helped us quickly understand an approach to get our arms around a way to move forward with eva... Read More

Elementis Specialties

Guided Implementation

10/10

N/A

120

City of Kirkland

Guided Implementation

10/10

N/A

N/A

Allegis

Guided Implementation

10/10

$2,546

5

Filipe is very knowledgeable on the topic and the other resources that Infotech has available.

Clark Schaefer Hackett

Guided Implementation

10/10

$3,820

20

Having Kevin's expertise to help me through this project was very helpful.


Security Management

Establish the missing bridge between security and the business to support tomorrow's enterprise with minimal resources.

This course makes up part of the Security & Risk Certificate.


Now Playing:
Introduction

An active membership is required to access Info-Tech Academy
  • Course Modules: 3
  • Estimated Completion Time: 1 hour
  • Featured Analysts:
  • Logan Rohde, Senior Research Analyst, Security Practice

Establish Effective Security Governance & Management

The key is in stakeholder interactions, not policy and process.

Analyst Perspective

It's about stakeholder interactions, not policy and process.

Many security leaders complain about a lack of governance and management in their organizations. They have policies and processes but find neither have had the expected impact and that the organization is teetering on the edge of lawlessness, with stakeholder groups operating in ways that interfere with each other (usually due to poorly defined accountabilities).

Among the most common examples is security's relationship to the business. When these groups don't align, they tend to see each other as adversaries and make decisions in line with their respective positions: security endorses one standard, the business adopts another.

The consequences of this are vast. Such an organization is effectively opposed to itself. No wonder policy and process have not resolved the issue.

At a practical level, good governance stems from understanding how different stakeholder groups interact, providing inputs and outputs to each other and modeling who is accountable for what. But this implied accountability model needs to be formalized (perhaps even modified) before governance can help all stakeholder groups operate as strategic partners with clearly defined roles, responsibilities, and decision-making power. Only when policies and processes reflect this will they serve as effective tools to support governance.

Logan Rohde, Senior Research Analyst, Security & Privacy

Logan Rohde
Senior Research Analyst, Security & Privacy
Info-Tech Research Group

Executive Summary

Your Challenge Common Obstacles Info-Tech's Approach
Ineffective governance and management processes, if they are adopted at all, can lead to:
  • An organization unsure of governance needs and how to manage them.
  • A lack of alignment between key stakeholder groups.
  • Misunderstandings related to the role of policy and process.
Most governance and management initiatives stumble because they do not address governance as a set of interactions and influences that stakeholders have with and over each other, seeing it instead as policy, process, and risk management. Challenges include:
  • Senior management disinterest
  • Stakeholders operating in silos
  • Separating governance from management
You will be able to establish a robust governance model to support the current and future state of your organization by accounting for these three essential parts:
  1. Determine governance accountabilities.
  2. Define management responsibilities.
  3. Model stakeholders' interactions, inputs, and outputs as part of business and security operations.

Info-Tech Insight
Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.

Your challenge

This research is designed to help organizations who need to:

  • Establish security governance from scratch.
  • Improve security governance despite a lack of cooperation from the business.
  • Determine the accountabilities and responsibilities of each stakeholder group.

This blueprint will solve the above challenges by helping you model your organization's governance structure and implement processes to support the essential governance areas: policy, risk, and performance metrics.

Percentage of organizations that have yet to fully advance to a maturity-based approach to security

70%

Source: McKinsey, 2021

Common obstacles

These barriers make this challenge difficult to address for many organizations:

  • The business does not wish to be governed and does not seek to align with security on the basis of risk.
  • Various stakeholder groups essentially govern themselves, causing business functions to interfere with each other.
  • Security teams struggle to differentiate between governance and management and the purpose of each.

Early adopter infrastructure

63%
Security leaders not reporting to the board about risk or incident detection and prevention.
Source: LogRhythm, 2021

46%
Those who report that senior leadership is confident cybersecurity leaders understand business goals.
Source: LogRhythm, 2021

Governance isn't just policy and process

Governance is often mistaken for an organization's formalized policies and processes. While both are important governance supports, they do not provide governance in and of themselves.

For governance to work well, an organization needs to understand how stakeholder groups interact with each other. What inputs and outputs do they provide? Who is accountable? Who is responsible? These are the questions one needs to ask before designing a governance structure. Failing to account for any of these three elements tends to result in overlap, inefficiency, and a lack of accountability, creating flawed governance.

Separate governance from management

Oversight versus operations

  • COBIT emphasizes the importance of separating governance from management. These are complementary functions, but they refer to different parts of organizational operation.
  • Governance provides a decision-making apparatus based on predetermined requirements to ensure smooth operations. It is used to provide oversight and direction and hinges on established accountabilities
  • Simply put, governance refers to what an organization is and is not willing to permit in day-to-day operations, and it tends to make its presence known via the key areas of risk appetite, formal policy and process, and exception handling.
    • Note: These key areas do not provide governance in and of themselves. Rather, governance emerges in accordance with the decisions an organization has made regarding these areas. Sometimes, however, these "decisions" have not been formally or consciously made and the current state of the organization's operations becomes the default - even when it is not working well.
  • Management, by contrast, is concerned with executing business processes in accordance with the governance model, essentially, governance provides guidance for how to make decisions during daily management.

"Information security governance is the guiding hand that organizes and directs risk mitigation efforts into a business-aligned strategy for the entire organization."

Steve Durbin,
Chief Executive,
Information Security Forum, Forbes, 2023

Models for governance and management

Info-Tech's Governance and Management research uses the logic of COBIT's governance and management framework but distills this guidance into a practical, easy-to-implement series of steps, moving beyond the rudimentary logic of COBIT to provide an actionable and personalized governance model.

Governance Cycle

Management Cycle

Clear accountabilities and responsibilities

Complementary frameworks to simplify governance and management

The distinction that COBIT draws between governance and management is roughly equivalent to that of accountability and responsibility, as seen in the RACI* model.

There can be several stakeholders responsible for something, but only one party can be accountable.

Use this guidance to help determine the accountabilities and responsibilities of your governance and management model.

*Responsible, Accountable, Consulted, Informed

COBIT RACI chart

Security governance framework

A security governance framework is a system that will design structures, processes, accountability definitions, and membership assignments that lead the security department toward optimal results for the business.

Governance is performed in three ways:

1 Evaluate 2 Direct 3 Monitor
For governance to be effective it must account for stakeholder interests and business needs. Determining what these are is the vital first step. Governance is used to determine how things should be done within an organization. It sets standards and provides oversight so decisions can be made during day-to-day management. Governance needs change and inefficiencies need to be revised. Therefore, monitoring key performance indicators is an essential step to course correct as organizational needs evolve.

"Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks. Management recommends security strategies. Governance ensures that security strategies are aligned with business objectives and consistent with regulations."
- EDUCAUSE

The key is in stakeholder interactions, not policy and process.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

MEMBER RATING

9.8/10
Overall Impact

$50,899
Average $ Saved

24
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 2-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Design your governance model
  • Call 1: Scope requirements, objectives, and your specific challenges.
  • Call 2: Determine governance requirements.
  • Call 3: Review governance model.
  • Call 4: Determine KPIs.

Guided Implementation 2: Implement essential governance processes
  • Call 1: Stand up steering committee.
  • Call 2: Set risk appetite.
  • Call 3: Establish policy lifecycle.
  • Call 4: Revise exception-handing process.

Author

Logan Rohde

Contributors

  • Michelle Tran, Consulting Industry
  • 1 anonymous
Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019