How can we jazz security governance up?

Governance is the crispy kale of cyber-security – everyone knows it’s good for you, but you won’t find many people rushing to get a second helping. Say the word in a room full of CISOs and you can almost hear the collective groan and the collective noise of eyeballs rolling in their heads. 

 

It’s the part of security that’s seen as slow, procedural, and allergic to excitement. Yet ironically, good governance is the opposite of restrictive. It’s the thing that actually gives freedom – the framework that lets people move fast because they know where the guardrails are.

 

The real challenge isn’t that governance is dull; it’s that we’ve done a terrible job of showing how empowering it can be.

 

The most misunderstood word in cyber-security

Governance might just be the most confusing word in our industry. Too often it’s treated as a tick-box exercise or an unavoidably tedious bit of bureaucracy. In reality, governance is far less about administration and far more about alignment. It’s the mechanism that ensures our time, effort, and resources are being invested where they actually matter.

 

Good governance doesn’t shackle people; it sets them free. It gives them the confidence to act because they know what’s expected, what’s permitted, and what’s off-limits.

 

When everyone understands the guardrails, you can spend less time asking for permission and more time getting the job done. That’s what real governance looks like – not red tape, but reinforced autonomy.

 

Why governance goes wrong

If governance is supposed to bring clarity and direction then why does it seem so sluggish and restrictive?

 

In many organisations, it’s because governance often means being ruled by committee. It’s common to find governance meetings that consist of a dozen people in a room operating under the idea that everyone must agree on everything before anything can happen.

 

To be clear, security governance absolutely must be a cross-organisational process that includes multiple stakeholders, but without clear leadership and direction it can turn into a lot of meeting minutes but few decisions. That’s when progress stalls and security become paralysed by its own processes. It’s analysis paralysis.

Instead, governance structures should be designed for flow – information moving outward, not bureaucracy flowing inward. Done properly, governance enables collaboration without diluting accountability.

 

The role of CISOs as communicators

Governance ultimately lives or dies on communication. You can have the most elegant policy in existence, but if you can’t explain why it matters to the people signing the cheques, it’s just PowerPoint wallpaper.

 

This is where it’s absolutely crucial that CISOs have strong communication skills as well as technical knowledge.

 

Being clear and concise is one of the most important skills here. Few things can drain enthusiasm for governance faster than a 40-slide deck of vanity metrics that look good but contribute little towards decision-making.

 

The true test of a good report is whether it answers two simple questions: ‘So what?’ and ‘What now?’

 

It’s about showing all the other stakeholders not just how they can help you, but how you can help them. That means framing cyber-security in their language: risk and reputation for the CEO, efficiency for the COO, compliance for the General Counsel, budget predictability for the CFO.

 

If you can talk clearly about how your work contributes to the company vision and why their contribution matters too, then you give them the ego that says ‘only you can help me,’ but also the substance that says ‘I can help you achieve your goals.’

 

This creates an atmosphere of mutual improvement. The CISO stops being a messenger of doom or the Head of the Business Prevention Unit™  and becomes a translator between technical reality and business ambition.

 

Who belongs at the governance table?

As mentioned, good governance is the cross-organisational process that includes key stakeholders from across the business. But finding the right people is one thing, and getting them into regular meetings at the same time is often quite another.

 

It’s sometimes taken me a full 12 months to assemble the right mix of people, but that patience usually pays off. You need a coalition of doers – people who can provide insight, make decisions, and follow through with them.

 

The obvious answer might be to fill the room with C-suite executives, but I’d argue the “sweet spot” often lies one layer down. Lieutenants to the CFO, COO, and so on, tend to be less time-poor, meaning they’ll be more willing and able to attend regular meetings.

 

They’ll also likely have more capacity to roll up their sleeves and put decisions into action. You still need top-down support to give the group authority, but day-to-day progress happens through those who can act, not just approve.

 

Governance as glue

For all its reputation as red tape, governance is really the connective tissue that holds an organisation’s ambitions together. When done right, it doesn’t slow innovation, but safeguards it. Good governance should be an act of protection, not restriction.

 

It also plays a vital cultural role. A strong governance framework doesn’t just link cyber-security to business strategy; it links departments to each other. HR, legal, operations, and finance all have skin in the game, and governance gives them a shared language and set of goals.

 

The result is clarity, not control, leading to a structure that empowers people to act with confidence because they understand the purpose behind the rules. When governance aligns culture, vision, and autonomy, it becomes the glue that holds trust in place.

 

Making governance un-boring again

Governance doesn’t need jazz hands – it just needs purpose. For all the talk of frameworks and committees, it’s ultimately about people: how they communicate, collaborate, and hold each other accountable.

 

When CISOs reframe governance as a tool for empowerment rather than control, it stops being a chore and starts being a catalyst. It’s what allows teams to move quickly without losing direction, to innovate without losing sight of the rules that keep them safe.

 

If you still think governance is dull, then you are simply doing it wrong. 

 

---

 

Thom Langford is CTO EMEA at Rapid7  

 

Main image courtesy of iStockPhoto.com and izusek