Sten Eikrem - Information Security & Risk Management

Governance That Actually Governs

5 min read

Security governance and decision-making{.featured-image}

Governance That Actually Governs

Most security governance is theater. Committees that rubber-stamp, decisions that decide nothing, metrics that measure everything except effectiveness. Here’s how to build governance that actually governs.

The Theater Problem

Zombie Governance Signs

  • Meetings where everything gets approved
  • Risk acceptance discussions that never reject anything
  • Metrics focused on activity rather than outcomes
  • Decisions postponed until “more analysis”

Real Governance Indicators

  • Some proposals get rejected or modified
  • Risk discussions include actual trade-offs
  • Metrics drive behavioral change
  • Decisions allocate real resources

When was the last time your security governance committee rejected a proposal? If you can’t remember, you’re running theater, not governance.

The Transformation Framework

1. Start With Real Decisions

Don’t fix the committee—fix what the committee decides about. Give them choices that matter:

  • Budget allocation between competing security initiatives
  • Risk acceptance for business process changes
  • Resource prioritization when you can’t do everything
  • Timeline decisions that affect delivery dates

If the decision doesn’t hurt to make, it’s not a real decision.

2. Design Productive Tension

Governance works when different perspectives create healthy conflict:

  • Operations team presents implementation challenges
  • Risk team presents threat scenarios
  • Business presents commercial impact
  • All perspectives heard before decisions

The best governance meetings are uncomfortable. Everyone should leave having learned something that challenges their assumptions.

3. Make Consequences Visible

Every governance decision should have measurable outcomes:

  • “We approved X budget for Y outcome by Z date”
  • “We accepted this risk and here’s what happened”
  • “We rejected this proposal and here’s the impact”

If you can’t measure whether a governance decision was right or wrong, you’re not making real decisions.

Implementation Roadmap

Phase 1: Diagnostic (Month 1)

Run this assessment in your next governance meeting:

  • How many proposals were rejected in the last 6 months?
  • What was the last decision that required additional budget?
  • When did we last change course based on governance input?

If your answers are “none,” “can’t remember,” and “never,” you have governance theater.

Phase 2: Restructure (Month 2-3)

Redesign agenda around decision points, not status updates:

  • Replace “security metrics review” with “resource allocation decision”
  • Replace “risk register review” with “risk acceptance approvals”
  • Replace “policy update” with “policy exception requests”

Require business impact analysis for all proposals:

  • What happens if we approve this?
  • What happens if we reject this?
  • What’s the cost of delay?

Create clear criteria for risk acceptance vs. mitigation:

  • Risk scoring methodology aligned to business impact
  • Defined thresholds for escalation
  • Documented rationale requirements

Phase 3: Embed (Month 4-6)

Track decision outcomes and review quarterly:

  • Did approved initiatives deliver expected outcomes?
  • Were risk acceptances validated by subsequent events?
  • Did rejected proposals create the predicted impacts?

Adjust governance process based on effectiveness:

  • What decisions are we making well?
  • Where are we consistently wrong?
  • What information do we need that we don’t have?

Build stakeholder confidence through visible impact:

  • Publicize governance successes
  • Acknowledge and learn from failures
  • Demonstrate value of governance oversight

Common Pitfalls and Solutions

Pitfall: Governance seen as compliance burden

Why it happens: Governance designed around audit requirements, not business value

Solution: Frame every governance activity in terms of business risk reduction and operational improvement

Pitfall: Operations team bypasses governance

Why it happens: Governance process too slow or disconnected from operational reality

Solution: Create fast-track process for time-critical decisions with retrospective review

Pitfall: Risk discussions become technical debates

Why it happens: Lack of common risk language between technical and business stakeholders

Solution: Use business impact scenarios, not technical vulnerability scores

Pitfall: Decisions reversed outside governance process

Why it happens: Governance lacks authority or executive support

Solution: Document decision rights clearly and escalate violations to executive sponsors

What Good Governance Looks Like

In Meetings

  • Meaningful disagreement on proposals
  • Evidence-based risk discussions
  • Clear decisions with documented rationale
  • Action items with accountability and deadlines
  • Time spent on decisions, not status updates

In Outcomes

  • Resource allocation aligned with risk priorities
  • Risk exposure trending downward over time
  • Incident correlation to governance decisions visible
  • Stakeholder satisfaction with governance value
  • Business recognition of governance contribution

In Culture

  • Teams seek governance input proactively
  • Decisions referenced in operational planning
  • Governance frameworks used in daily work
  • Learning from governance failures celebrated
  • Continuous improvement of governance process

The Real Test

Ask yourself:

  1. Would our business be materially worse off without security governance?
  2. Can we demonstrate governance value to skeptical executives?
  3. Do operational teams value governance input?
  4. Would external auditors recognize our governance as effective?

If you answered “no” to any of these, you’re running governance theater.

Bottom Line

Effective governance is about making hard decisions with imperfect information, learning from outcomes, and continuously improving the process.

If your governance meetings are comfortable, if everyone agrees, if nothing ever gets rejected—you’re not doing governance. You’re doing theater.

Real governance is uncomfortable, contested, and valuable. Everything else is just going through the motions.

What Does Your Governance Actually Decide?

Take an honest look at your last three governance meetings. What decisions were made that actually changed resource allocation, risk posture, or operational priorities?

If you can’t point to specific, measurable impacts, it’s time to transform your governance from theater to reality.

Part of the series: “From Paper ISMS to Working Security”

Originally published: LinkedIn

Connect: Follow for more insights on security governance and risk management on LinkedInMastodonBluesky

Graph View

Backlinks