Cybersecurity governance

Overview
Cyberspace governance can take many forms. Three approaches to cybersecurity governance can be used to meet organizational needs: (1) a centralized approach, (2) a decentralized approach, or (3) a hybrid approach. The authority, responsibility, and decision making power related to cybersecurity and risk management differ in each governance approach. The appropriate governance structure for an organization varies based on many factors (e.g., mission and business processes, size of the organization, organizational operations, resources, and risk tolerance).

Centralized Governance
In centralized governance structures, the authority, responsibility, and decision making power are vested solely within a central body. The centralized body establishes the policies, standards, guidelines, procedures, and processes for ensuring enterprise-wide involvement in the development and implementation of risk management and cybersecurity strategies, risk and cybersecurity decisions, as well as in the creation of internal and external communication mechanisms. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate organizations that are part of the parent organization.

Decentralized Governance
In decentralized cybersecurity governance structures, the authority, responsibility, and decision making power are vested in and delegated to individual subordinate organizations within the parent organization (e.g., business units). Subordinate organizations establish their own policies, standards, guidelines, procedures, and processes for ensuring the development and implementation of risk management and cybersecurity strategies, decisions, and mechanisms to communicate across the organization. A decentralized approach to cybersecurity governance accommodates subordinate organizations with divergent mission and business needs and operating environments. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate organizations, so that no subordinate organization is able to transfer risk to another without the latter’s informed consent. It is also important to share risk-related information with parent organizations, as the risk decisions by subordinate organizations may have an effect on the organization as a whole.

Hybrid Governance
In hybrid cybersecurity governance structures, the authority, responsibility, and decision making power are distributed between the parent and the subordinate organizations. The central body establishes the policies, standards, guidelines, procedures, and processes for ensuring enterprise-wide involvement in the portion of the risk management and cybersecurity strategies and decisions affecting the entire organization (e.g., decisions related to shared infrastructure or common security services). Subordinate organizations, in a similar manner, establish appropriate policies, standards, guidelines, procedures, and processes for ensuring their involvement in the portion of risk management and cybersecurity strategies and decisions that are specific to their mission and business process needs and operational environments. A hybrid approach to governance requires strong, well-informed leadership for the organization as a whole and for subordinate organizations, and provides consistency throughout the organization for those aspects of risk and cybersecurity that affect the entire organization.