Managing Cyber Threats through Effective Governance

John Gilligan, Theresa A. Pardo, Meghan Cook, Mike Garcia, Stephanie Gass, Jackson Koutsos, Autum Pylant
Oct. 21, 2020


Cybersecurity threats are an ever-present organizational risk on par with economic, legal, operational, financial, and political risks. They increasingly affect state assets. Managing these risks, and the threats from which they stem, must be part of a state’s overall risk management portfolio. To do this, state leaders must have effective cybersecurity governance.

Cybersecurity governance is the processes by which decisions are made about cybersecurity risk. Effective cybersecurity governance provides the mix of control and influence necessary and appropriate for a state, and includes mechanisms for mitigating and responding to risk.

While every state has implemented cybersecurity programs, few have cybersecurity governance that effectively ensures that a state’s risk is managed to a level and in ways that have been determined to be, through formalized governance processes, acceptable to the governor and legislature. An effective cybersecurity governance framework answers important questions such as:

  • What decisions need to be made about cybersecurity threats?
  • Who makes those decisions?
  • How are those decisions made?
  • What mechanisms exist to inform those decisions?
  • Who has responsibility for translating decisions made by cybersecurity governance into effective cybersecurity programs?
  • What processes exist to make sure that the cybersecurity programs are effective?