Governance

Governance provides a critical service to security by absorbing business strategy from executives and ensuring that they are fully digested by the security program. Governance has all the pertinent security and operational performance information as well as visibility into business dynamics. Governance provides the foundation for upward communication of the overall performance of security and its role within business operations. Governance working as the interface to business and empowered with the knowledge of security operations and the ability to influence change in the alignment of security is the tipping point for adaptability. Primary role of influence for governance, and arguably one of the unfortunate failings of some security programs, is ensuring the ability to apply changes relative to what is being measured. Control, or the lack thereof, as demonstrated with security metrics and vulnerabilities also applies to operational capabilities. There are two fundamental targets for measurement that must be performed: security measurements and operational measurements.