By way of brief background, NIST organizes cybersecurity risk management into five high-level functions: Identify, Protect, Detect, Respond and Recover.  Placed within the Identify function is a category called Governance.  NIST defines governance broadly to refer to an organization’s ability to inform its security approach based on its “regulatory, legal, risk, environmental, and operational requirements,” and to manage those efforts through appropriate policies, procedures and processes.  

Ultimately, good governance should translate into your organization having high confidence that the following four principles hold true:

  • Security controls are aligned with and support your business objectives, and do so in a cost-effective manner;
  • Current as well as evolving risks are taken into account;
  • Policies and internal controls incorporate and drive compliance with laws, regulations and business decisions; and, 
  • Individuals are assigned responsibilities appropriate to their roles and skills, have adequate resources to succeed and are accountable through meaningful oversight.


Policy Advice

Having a widely disseminated, well-understood information security policy is an absolute must.  Done right, this isn’t a “check the box” exercise, but instead is shaped and periodically reviewed by senior leadership in consideration of the company’s business objectives.  If you want to see how your company’s policies compare to other best practices, or if you’re starting from scratch, there are a number of free tools.  In addition to the resources mentioned in prior columns (see the July 2014 Cyber Tactics column), you may appreciate the United Kingdom’s Information Security Toolkit, available here, as well as Norway’s Information Security Best Practice Document, available here.  Although both of these documents were drafted with European universities in mind, they are equally valuable for other types of organizations, regardless of location.


Role with IT

It is important to recognize that managing information security risk is a team sport.  Cybersecurity governance requires the identification and coordination of roles and responsibilities that are both internal and external to your organization, ranging from Human Resources to IT Security.  In this regard, NIST recommends that organizations give special consideration to privacy obligations, which tend to cross business lines and geographic boundaries.


Process Control 

Although many individuals still believe that information security simply can be tacked onto the business, good governance requires that companies have the foresight to determine the information security needs of their business prior to approving product designs, service offerings and general operations.  Sometimes it’s the security controls that need to change, but remain mindful that business processes too may need to be revised in order to achieve an acceptable level of protection.


About the Columnist 

 Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at