Back to Blog
GRC4 min read

NIST CSF 2.0 Series: The Govern Function (Part 2)

Governance isn't bureaucracy—it's clarity about who owns security decisions. Here's how the Govern function works in practice.

This is Part 2 of our series on NIST CSF 2.0. Part 1 covered what changed in version 2.0 and why the new Govern function matters.

The Govern function sits at the center of CSF 2.0 because governance failures undermine everything else. Organizations can have excellent technical controls, sophisticated detection capabilities, and well-documented response procedures—and still fail because nobody owns security decisions, or because security priorities don't align with business objectives.

What Govern Actually Covers

The Govern function addresses the organizational foundations of cybersecurity:

Organizational Context — Understanding the business environment, stakeholder expectations, legal requirements, and risk tolerance. Security programs that ignore business context become obstacles rather than enablers.

Risk Management Strategy — Defining how the organization approaches risk. What's the risk appetite? How are risks prioritized? Who makes decisions when tradeoffs are necessary?

Roles and Responsibilities — Clearly assigning accountability for cybersecurity outcomes. Not vague statements like "security is everyone's responsibility," but specific ownership of specific outcomes.

Policy — Establishing, communicating, and enforcing policies that guide security decisions and behaviors throughout the organization.

Oversight — Leadership involvement in security governance. Boards and executives should understand cybersecurity risk and participate in key decisions.

Supply Chain Risk Management — Recognizing that organizational security depends on vendor and partner security.

Leadership and Accountability

Effective governance requires clear ownership. Key elements include:

Defined roles at every level. Someone should own overall security strategy (CISO, vCISO, or designated leader). Department heads should understand their security responsibilities. Individual contributors should know what's expected of them.

A governance structure. For larger organizations, this might mean a security steering committee with representatives from IT, legal, compliance, operations, and business units. For smaller organizations, it might simply mean regular security discussions in leadership meetings.

Executive engagement. Security needs visible support from the top. This means adequate funding, but also participation in security discussions and modeling of security behaviors.

Metrics and reporting. Regular reporting to leadership on security posture, risks, and program effectiveness. What gets measured and reported gets attention.

Aligning Security with Business Objectives

Security programs fail when they operate in isolation from business goals. Effective alignment requires:

Understanding what the business is trying to achieve. Growth targets, customer expectations, competitive pressures, regulatory requirements—security should enable these objectives, not obstruct them.

Risk-based prioritization. Not all assets are equally important. Not all risks are equally likely or impactful. Security resources should focus on what matters most to the business.

Integration into business processes. Security considerations should be part of new product development, vendor selection, M&A activity, and strategic planning—not an afterthought.

Communication in business terms. Security leaders need to translate technical risks into business impact. "Unpatched servers" means nothing to a board; "potential for operational disruption and regulatory penalties" does.

Why Governance Fails

Common governance failures include:

No clear ownership. When everyone is responsible, nobody is responsible. Security becomes a game of hot potato.

Misaligned incentives. If business units are measured only on speed and cost, they'll resist security controls. Governance must create incentives for security-conscious behavior.

Policy without enforcement. Policies that exist on paper but aren't followed provide compliance theater, not actual security.

Disconnection from operations. Governance developed in isolation from how the organization actually works creates friction and workarounds.

Lack of executive support. Without visible leadership commitment, security programs get deprioritized when budgets tighten or deadlines loom.

Building Effective Governance

For organizations starting or improving their security governance:

  1. Assign clear ownership. Someone specific should be accountable for security outcomes—not IT by default, but a designated leader with appropriate authority.

  2. Document risk appetite. Work with leadership to define what level of risk is acceptable. This prevents endless debates about individual controls.

  3. Establish regular review cycles. Quarterly governance reviews keep policies current and ensure ongoing leadership engagement.

  4. Connect governance to operations. Governance structures should include operational leaders, not just executives and compliance staff.

  5. Measure what matters. Define metrics that indicate whether governance is working—not just policy counts, but evidence of policy effectiveness.

Next in the Series

Part 3 covers the Identify function—understanding what assets you have, what risks they face, and how to prioritize your security efforts.

Need help establishing security governance or aligning your security program with business objectives? Our vCISO services and GRC Advisory provide the leadership and structure organizations need. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch