* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [CIO/CISO](https://www2.paloaltonetworks.com/blog/category/ciociso/)
* Information Security Gove...

# Information Security Governance

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Finformation-security-governance%2F)  
[](https://twitter.com/share?text=Information+Security+Governance&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Finformation-security-governance%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Finformation-security-governance%2F&title=Information+Security+Governance&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/information-security-governance/&ts=markdown)  
\[\](mailto:?subject=Information Security Governance)  
Link copied  
By [Kate Kaluhiokalani](https://www.paloaltonetworks.com/blog/author/kkaluhiokala/?ts=markdown "Posts by Kate Kaluhiokalani")  
Jun 12, 2023  
7 minutes  
[CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown)  
[CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)  
[Secure the Future](https://www.paloaltonetworks.com/blog/category/secure-the-future/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)

Protecting information consistently across the enterprise means having the right people at the right level engaged so that the information security program can align with business and technology strategy. Without the participation of the right people, it becomes difficult to maintain the proper information security budget and staffing levels.

In this post, I'll cover the basic concept of governance, as well as why it's important, who should be involved and how a governance framework should be executed and maintained.

## Engaging the Enterprise in a Strategic Discussion

While information security leaders often make decisions based on their experience, it's equally important to involve the enterprise in strategic discussions. Many information security leaders find this task daunting.

What does the CEO know about security? How about the general counsel, CFO, head of compliance or board of directors? The short answer is, they probably know little. That's reasonable, as it falls outside their direct responsibilities. Nonetheless, the executive team and board play pivotal roles as key stakeholders and significantly influence the investment in protecting information.

More importantly, the CEO is responsible for executing the corporation's strategic plan, while the CFO oversees financial plans, the general counsel provides guidance on legal risks, the head of compliance ensures regulatory compliance and the board of directors oversees the organization's operations.

To benefit from their positions and perspectives, the CISO needs to engage the executive team and board. By providing oversight and guidance for the information security program, they can effectively protect the enterprise at the right level.

## The Importance of Technology Infrastructure and Security

Although it may seem like a basic concept, most businesses depend on their technology infrastructure to run their business. Without this infrastructure, businesses would come to a halt. At the same time, the technology infrastructure in most companies has systemic security issues that go unaddressed. These security issues create risks that make it easy to disrupt services or facilitate intellectual property theft.

## Benefits of Information Security Governance

Robust information security governance offers enterprises significant advantages. These include:

1. Improving trust in customer relationships
2. Protecting the organization's reputation
3. Decreasing likelihood of regulatory and privacy violations
4. Providing greater confidence when interacting with business partners
5. Enabling new and better ways to process electronic transactions
6. Reducing operational costs by providing predictable outcomes --- mitigating risk factors that may interrupt the process^1^

Information security leaders need to engage boards of directors and executive teams so these stakeholders can understand the issues and provide guidance and support for the information security program.

## Creating a Governance Program

An effective approach to establishing a governance program involves building and maintaining relationships with the executive team through one-on-one conversations. This aspect is often overlooked by information security leaders.

Ongoing dialogues with the executive team members serve as the foundation for long-term success and optimal alignment with business and technology strategies. In many organizations, security lacks visibility with the executive team and board --- but having direct and recurring conversations with these individuals bridges the gap.

**Communicating Security's Impact to Stakeholders**

Many people think that the executive team needs to learn information security's vocabulary, when the reverse is true. To secure the necessary support, the executive team and board of directors must understand how an investment in security aligns with their areas of responsibility.

When speaking to a CEO, for example, you need to communicate how security impacts the way they run their business and how it can create strategic advantages. Executed properly, security becomes one ingredient that contributes to creating a resilient technology infrastructure. If the technology infrastructure is resilient, the business can rely on it to support its basic business functions.

The CFO needs to understand how security impacts the top and bottom-line. When customers perceive an organization as trustworthy, they have the confidence to do business with them. This is particularly important for companies that depend on digital assets for a large percentage of their revenues. A strategic, predictable investment with the proper underlying processes helps to reduce bottom-line costs.

**Integrating Security into Business Processes**

To emphasize the importance of integrating security into basic business processes, consider the following analogy: When an automobile rolls off the assembly line, the manufacturing process doesn't include a separate step for adding quality. Instead, if quality is taken seriously, it becomes an integrated aspect of the manufacturing.

Failure to achieve the desired level of quality leads to product defects. While recalls can be expensive, the cost of damaging a company's reputation and image is greater. Similarly, security must be integrated into fundamental business processes to ensure proper protection.

In application development, it's nearly impossible to use proper hygiene to achieve the same outcome as if security had been applied throughout the process. Security must be integrated into the application development lifecycle and into infrastructure management. This is true for other technology areas and for basic business functions. People need to understand how they need to protect information as part of their daily routines.

## Managing Security Breaches and Risks

Not all security breaches can be prevented.^2^The executive team and board need to hear this message. Companies and governments are compromised regularly around the globe. It happens.

Think of the general counsel's role as a model for information security leadership. The general counsel can't prevent lawsuits. To say otherwise would be foolish. The general counsel's first order of business is to create a robust legal framework that minimizes legal risk, settlements, and related costs.

The general counsel doesn't accept the risk for the organization --- the role of the general counsel and their staff is to coach the organization on the legal risk it's exposed to and what it should do to minimize its legal risk. The decision lies with the business. The business needs to make the decision because it has responsibility for revenue generation.

Similarly, information security leadership should assume the responsibility of creating a strong framework and helping the business to understand its security issues and how to address them. The decision on which security risks to accept should lie with the business, not the CISO. This underscores the value of proper information security governance.

## Establishing a Governance Committee

Once the executive team and board grasp the significance of security for the business, it becomes practicable to form a governance committee. The first steps involve securing the participation of senior executives who can make decisions for the organization. This committee typically includes leaders from human resources, legal, compliance, audit, technology, and the business.

The next step involves creating a charter for the committee so its mission and landmark details --- who should be involved, who the committee reports to, how often they should meet --- remains clear. The governance committee should approve the information security strategy, policies and be a first decision point for significant issues, such as how to respond to a denial of service attack.

An integral part of establishing the governance foundation also involves the creation of metrics that enable the organization to evaluate if the information security function is fulfilling its mission.

Most areas in an organization have defined metrics to help executives understand how they align with their objectives. Questions the governance committee should ask include:

* Do we have the right staffing levels?
* Are policies and standards adequate and updated?
* Have we made a sufficient investment in security technologies?
* Are we addressing privacy issues?
* Are we in compliance with regulatory frameworks, such as PCI, Sarbanes-Oxley, HIPAA, FFIEC and FISMA?
* Are we exposing ourselves to undue risk?

Using a comprehensive framework, such as ISO 27000 or the NIST Cybersecurity Framework, can help an organization assess their security posture and whether they've taken a comprehensive approach to protect itself.

## The Benefits of a Proper Governance Framework

Creating an effective governance framework yields numerous benefits. By involving the right people in the organization, the information security team can accomplish its mission, align itself with both business and technology strategy and contribute to building a resilient organization. With the right leadership, communication and governance, information security can evolve into a strategic asset for the organization.

References

1. Information Security Governance: Guidance For Boards of Directors and Executive Management, 2nd Edition, IT Governance Institute, ISBN 1-933284-29-3.

2. Broad New Hacking Attack Detected, Siobhan Gorman, Wall Street Journal, February 18, 2010.

*** ** * ** ***

## Related Blogs

### [CIO/CISO](https://www.paloaltonetworks.com/blog/category/ciociso/?ts=markdown), [CSO Perspective](https://www.paloaltonetworks.com/blog/category/cso-perspective/?ts=markdown)

[#### How Japanese Businesses Are Cultivating Cybersecurity Professionals](https://www2.paloaltonetworks.com/blog/2016/10/cso-japanese-businesses-cultivating-cybersecurity-professionals/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Securing Shadow AI with Cortex Xpanse](https://www2.paloaltonetworks.com/blog/security-operations/securing-shadow-ai-with-cortex-xpanse/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown)

[#### NEXT Secures the Mobile World Congress Barcelona](https://www2.paloaltonetworks.com/blog/2022/02/next-secures-the-mwc-barcelona/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language