Implement Whole-of-Government Cybersecurity Governance
Rethinking how governments provide cybersecurity services at all levels, moving toward a “whole-of-government” integrated model.
- Keeping up with the rapid pace of technological advancements and the ever-evolving threat landscape of cyberattacks presents an ongoing challenge for government agencies at all levels.
- Government agencies face an array of sophisticated threats, including ransomware, phishing, and zero-day exploits, and must protect against security threats.
- Implementing robust cybersecurity measures within the governance framework has become a critical priority.
Our Advice
Critical Insight
Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.
Impact and Result
- The first phase of this project will help you establish or refine your security governance and management by determining the accountabilities, responsibilities, and key interactions of your stake holder groups.
- In phase two, the project will guide you through the implementation of essential governance processes: setting up a steering committee, determining risk appetite, and developing a policy exception-handling process.
On Demand
Webinar
Implement Cybersecurity Governance for Whole-of-Government
Play WebinarImplement Whole-of-Government Cybersecurity Governance
Rethinking how governments provide cybersecurity services at all levels, moving toward a whole-of-government integrated model.
Analyst Perspective
Governments are rethinking how they provide cybersecurity services, moving toward a more "whole-of-government" integrated model.
Prioritizing Whole-of-Government Cybersecurity Governance
"Are we secure?" is a common question asked by government lawmakers and executive leadership to their chief information security officers (CISOs) and chief information officers (CIOs). While the individuals asking that question expect a simple response, the answer is typically complex and rarely straightforward.
Achieving complete security for a government's IT systems, applications, and infrastructure is as unrealistic as making a building entirely fireproof. CIOs and CISOs know they are responsible for protecting the information of their constituents while also providing readily available, easily accessible access to a range of government services online.
At every level of government, in many instances, the challenge of securing IT systems is expanding as central state agencies, for example, begin offering cybersecurity services to local governments and school districts. To meet this challenge, some states are rethinking how they provide cybersecurity services, moving toward a "whole-of-government" integrated model.
Neal Rosenblatt
Principal Research Director
Public Health Industry
Info-Tech Research Group
Executive summary
| Your Challenge | Common Obstacles | Info-Tech's Approach |
|
Keeping up with the rapid pace of technological advancements and the ever-evolving threat landscape of cyberattacks presents an ongoing challenge for government organizations at all levels. Protecting against security threats. Government agencies face an array of sophisticated threats, including ransomware, phishing, and zero-day exploits. Implementing robust cybersecurity measures within the governance framework has become a critical priority. |
Culture and awareness that prevents progress. Government agencies today are subject to many obstacles including regulations governing the protection of confidential information, financial accountability, and data retention and disaster recovery, among others. Taking a proactive approach. Overcoming obstacles demands a proactive approach, continuous assessment, and a commitment to aligning IT strategies with organizational objectives at all levels of government. |
You will be able to establish a robust cybersecurity governance model to support the current and future state of your agency by accounting for these three essential parts:
|
Info-Tech Insight
Good governance stems from a deep understanding of how stakeholder groups interact with each other and their respective accountabilities and responsibilities. Without these things, organizational functions tend to interfere with each other, blurring the lines between governance and management and promoting ad hoc decision making that undermines governance.
Your challenge
This research is designed to help government agencies at all levels who need to:
- Establish security governance from scratch.
- Improve enterprise security governance despite a lack of cooperation from agency stakeholders.
- Determine the accountabilities and responsibilities of each stakeholder group.
Percentage of organizations that have yet to fully advance to a maturity-based approach to security.
70%
Source: McKinsey, 2021.
What are some of the challenges implementing effective IT governance?
IT governance can be a minefield. Don't let these common challenges damage your organization.
| Challenge | Description |
| Resistance to Change: | Employees and management may resist new governance processes, especially if they perceive them as bureaucratic or unnecessary. |
| Lack of Awareness and Understanding: | Without proper education and communication, stakeholders might not understand the importance of IT governance, leading to poor engagement and support. |
| Alignment With Business Goals: | Ensuring that IT governance aligns with the rapidly changing business priorities can be difficult. |
| Resource Constraints: | Limited resources, including budget, personnel, and time, can hinder the implementation and maintenance of governance frameworks. |
| Complexity of IT Environments: | Modern IT environments are complex and constantly evolving, making it challenging to establish and maintain effective governance. |
| Inadequate Risk Management: | Poor risk planning and management can lead to vulnerabilities and inefficiencies in IT operations. |
| Performance Measurement: | Establishing and tracking meaningful performance metrics to evaluate the effectiveness of IT governance can be difficult. |
Sources: IT Governance Docs, 2023; CIO, 2022; Architecture & Governance Magazine, 2022.
Info-Tech Insight
IT governance should be well-defined, clearly understood, and led by principles that reflect your organization's mission, vision, and strategy.
Implementing effective IT governance can be quite challenging. Addressing these challenges requires a strategic approach, clear communication, and ongoing commitment from all levels of government organizations.
"Good governance should delegate and empower individuals to deliver to defined outcomes that support organizational direction."
Donna Bales
Principal Research Director
Info-Tech Research Group
An example of governance in IT
One example of IT governance is the implementation of a formal framework to align IT strategy with agency objectives.
For example, your agency might adopt Info-Tech's COBIT-based governance and management framework to ensure that the organization's IT investments support its overall business goals. This involves setting up processes for:
Risk Management: Identifying and mitigating IT-related risks to protect the organization's assets.
Performance Measurement: Establishing metrics to evaluate the effectiveness and efficiency of IT services.
Resource Management: Ensuring optimal use of IT resources, including personnel, infrastructure, and budget.
Compliance: Adhering to relevant laws, regulations, and internal policies.
Sources: CIO, 2017; InvGate, 2023; Wolken, 2024.
Info-Tech Insight
By following a framework like Info-Tech's governance and management framework, your agency can ensure that its IT operations are not only adaptable and efficient but also aligned with its strategic objectives.
Common obstacles
These barriers make this challenge difficult to address for many government organizations:
- Agency internal and external stakeholders do not wish to be governed by enterprise IT leadership and do not seek to align with enterprise security on the basis of risk.
- Various stakeholder groups essentially govern themselves, causing business functions to interfere with each other.
- Security teams struggle to differentiate between governance and management and the purpose of each.
Early adopter infrastructure
63% - Percentage of security leaders not reporting to the board about risk or incident detection and prevention.
Source: LogRhythm, 2021.
46% - Percentage who reports that senior leadership is confident cybersecurity leaders understand business goals.
Source: LogRhythm, 2021.
"Information security governance is the guiding hand that organizes and directs risk mitigation efforts into a business-aligned strategy for the entire organization."
Steve Durbin,
Chief Executive,
Information Security Forum
Forbes, 2023
Governance isn't just policy and process
Governance is often mistaken for an organization's formalized policies and processes. While both are important governance supports, they do not provide governance in and of themselves.
Three Elements
For governance to work well, an organization needs to understand how stakeholder groups interact with each other. The three questions one needs to ask before designing a governance structure are:
- What inputs and outputs do they provide?
- Who is accountable?
- Who is responsible?
Failing to account for any of these three elements tends to result in overlap, inefficiency, and a lack of accountability, creating flawed governance.
There are clear accountabilities and responsibilities
Complementary frameworks – COBIT & RACI* – to simplify governance and management.
The distinction that COBIT draws between governance and management is roughly equivalent to that of accountability and responsibility, as seen in the RACI model.
There can be several stakeholders responsible for something, but only one party can be accountable.
Use this guidance to help determine the accountabilities and responsibilities of your governance and management model.
* Responsible, Accountable, Consulted, and Informed
On Demand
Webinar
Implement Cybersecurity Governance for Whole-of-Government
Play Webinar
Christine
Coz
Executive Counselor
Erik
Avakian
Technical Counselor
About Info-Tech
Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.
We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.
What Is a Blueprint?
A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.
Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.
Need Extra Help?
Speak With An Analyst
Get the help you need in this 2-phase advisory process. You'll receive 8 touchpoints with our researchers, all included in your membership.
Guided Implementation 1: Design Your Governance Model
- Call 1: Scope requirements, objectives, and your specific challenges.
- Call 2: Determine governance requirements.
- Call 3: Review governance model.
Guided Implementation 2: Implement Essential Governance Processes
- Call 1: Determine KPIs.
- Call 2: Stand up steering committee.
- Call 3: Set risk appetite.
- Call 4: Establish policy lifecycle.
- Call 5: Revise exception-handing process.
Contributors
- Kate Wood, Cybersecurity Practice Lead
- Logan Rohde, Cybersecurity Advisor
