{.featured-image}
Most security governance is theatre. Committees that rubber-stamp, decisions that decide nothing, metrics that measure everything except effectiveness.
The theatre problem
You can diagnose governance theatre in about ten minutes. Look at approval rates: if everything gets approved, nobody is actually evaluating anything. Look at risk acceptance: if nothing ever gets rejected, the word ‘acceptance’ is doing no work. Look at what happens after meetings: if decisions don’t move resources or change timelines, they aren’t decisions.
When was the last time your security governance committee rejected a proposal? If you can’t remember, you’re running theatre, not governance.
Start with real decisions
Don’t fix the committee, fix what the committee decides about. Most governance agendas are filled with status updates and information items. Replace those with choices that actually hurt to make: budget allocation between competing initiatives, risk acceptance for business process changes, resource prioritisation when you can’t do everything.
If the decision doesn’t cost someone something, it’s not a real decision.
Design productive tension
Governance works when different perspectives create friction. The operations team should present implementation constraints. The risk team should present threat scenarios. The business should present commercial impact. All of these before anyone votes.
The best governance meetings are uncomfortable. If your governance meetings are comfortable, you’re doing theatre.
Make consequences visible
Every governance decision should have a measurable outcome: ‘We approved X budget for Y outcome by Z date.’ Track what actually happened. Did approved initiatives deliver? Were risk acceptances validated by subsequent events? Did rejected proposals create the impacts people predicted?
If you can’t measure whether a governance decision was right or wrong, you’re not making real decisions.
Getting there
Start with a diagnostic. In your next governance meeting, ask three questions: how many proposals were rejected in the last six months? What was the last decision that required additional budget? When did you last change course based on governance input? If the answers are ‘none’, ‘can’t remember’, and ‘never’, you have governance theatre.
Then restructure the agenda around decision points. Replace ‘security metrics review’ with ‘resource allocation decision’. Replace ‘risk register review’ with ‘risk acceptance approvals’. Require business impact analysis for every proposal, not just the big ones. Create clear criteria for when risk gets accepted versus mitigated, and document the rationale.
After a quarter, review whether governance decisions actually changed anything. Track outcomes, adjust the process, and be honest about where you’re consistently wrong.
Common pitfalls
Governance designed around audit requirements instead of business value gets treated as a compliance burden. Frame every governance activity in terms of risk reduction and operational improvement, not regulatory box-ticking.
When the governance process is too slow or disconnected from operations, teams bypass it. The fix is a fast-track process for time-critical decisions with retrospective review, not more enforcement.
Risk discussions that turn into technical debates usually indicate a missing common language between technical and business stakeholders. Use business impact scenarios, not vulnerability scores.
And if decisions get reversed outside the governance process, governance lacks real authority. Document decision rights clearly and escalate violations to executive sponsors. If that doesn’t work, you have a sponsorship problem, not a governance problem.
What good governance looks like
You’ll know governance is working when proposals get meaningful pushback, when risk discussions involve actual trade-offs, and when action items have real deadlines attached to real names. You’ll know it’s working when operational teams start seeking governance input proactively, rather than treating it as an obstacle. And you’ll know it’s embedded when people reference governance decisions in their daily planning, not just in their audit evidence.
What does your governance actually decide?
Look at your last three governance meetings. What decisions actually changed resource allocation, risk posture, or operational priorities? If you can’t point to specific, measurable impacts, you’re running theatre.
Real governance is uncomfortable. Everything else is just going through the motions.
Part of the series: ‘From Paper ISMS to Working Security’