Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


secure your organization
Secure Your Organization

secure specific platforms
Secure Specific Platforms

cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers




filter by topic
Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

Breaking the Divide Between Governance and Operational Cybersecurity

By Sean Atkinson, Chief Information Security Officer

CISO blog

Governance in cybersecurity

Governance is an important topic in cybersecurity, as it describes the policies and processes which determine how organizations detect, prevent, and respond to cyber incidents. In many organizations, there is a division between governance and management. Those who work in governance tend to emphasize strategic planning, whereas management deals with the day-to-day operationalized approach to security. Sometimes this results in different leadership perspectives.

Making the organizational move from a divided hierarchy to one in which strategy informs operation (and operation informs strategy) is a difficult challenge. Communication is key to effectively managing expectations, messaging, and security posture throughout the process.

Detect, prioritize, and control

Operational controls – the real-life response to a cybersecurity incident – should be the focus of any security program. Managing these controls and reporting to a governance structure may not require the knowledge of operationalization, but instead may rely on an agreed-upon level of confidence in respect to risk management involving both governance and operational leadership.

In addition to working alongside governance experts, operational controls managers should measure their security posture against a framework or baseline such as the CIS Controls™ or NIST Cyber Security Framework. Conducting such an assessment is important, as understanding your organization’s compliance levels is key to finding weaknesses in the organizational controls as well as the prioritization of investment for strengthening controls.

In a previous blog post I discussed calculating your risk-reduction ROI; after identifying weaker controls, we can start to use this single calculation to define what provides the greatest level of return on investment as well as the greatest reduction in risk. In future blog posts, risk will be discussed with respect to quantitative analysis, using a Monte Carlo simulation to demonstrate how a single risk and control mitigation can provide an overall reduction in risk to the whole organization.

With clearer reporting and analysis of risk reduction, we can bridge the gap between governance and operational security, leading to better strategic decision making and a more unified approach to the cyber threat landscape.

Arrow Download the CIS Controls