Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Build a Security Governance and Management Plan

Establish the missing bridge between security and the business to support tomorrow’s enterprise with minimal resources.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail

Your Challenge

  • As a CISO, you are worried you’re going to lose your budget because management doesn’t seem to buy into spending on security.
  • The CEO thinks the security team is disposable because they don’t support business objectives.
  • Even while trying to anticipate and mitigate risk, the organization is constantly in firefighter mode trying to fight attacks and breaches. There is constantly a need for more resources.
  • The security team is not even sure exactly which compliance requirements apply to the organization and if they're meeting them. Each audit is a scramble.
  • It is not known how the security team is performing.
  • There is not enough direction from management to ensure business goals are supported because management doesn’t seem to be interested in the report on security.

Our Advice

Critical Insight

  • Most organizations perceive security governance and management to be a large, time-consuming, and expensive endeavor.
  • A customized program will provide results with a relatively low investment.

Impact and Result

  • Achieve executive engagement in information security governance and management through the completed business case.
  • Recognize and prioritize your current security governance and management challenges.
  • Develop a security governance and management framework suitable for your needs at a minimal cost.
  • Implement your security governance and management framework using our tips and the tools and templates provided.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a security governance and management plan, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

2. Perform a gap analysis

Assess the current state and then determine the organizational target state.

3. Develop gap initiatives

Generate initiatives to reach the organizational target state.

Guided Implementations

This guided implementation is an eight call advisory process.

Guided Implementation #1 - Assess security requirements

Call #1 - Understand the value and challenges of security governance and management to create your business case.
Call #2 - Define your risk tolerance and determine your security pressure posture.

Guided Implementation #2 - Perform a gap analysis

Call #1 - Perform a current state assessment of your capabilities and maturity levels.
Call #2 - Establish the governance and management target state.

Guided Implementation #3 - Develop gap initiatives

Call #1 - Identify where there are existing gaps and where initiatives should be built.
Call #2 - Prioritize the gaps based on resources and efforts to create an implementation timeline.

Guided Implementation #4 - Implement gap initiatives

Call #1 - Review and finalize the governance and management roadmap and action plan.
Call #2 - Build out your governance and management deliverables.

Info-Tech Academy

Get Info-Tech Certified

Train your staff and develop a world-class IT team.

An active membership is required to access Info-Tech Academy

New to Info-Tech Academy? Learn more here

Security Management Course

Establish the missing bridge between security and the business to support tomorrow's enterprise with minimal resources.
This course makes up part of the Security & Risk Certificate.

Course information:

  • Title: Security Management Course
  • Number of Course Modules: 4
  • Estimated Time to Complete: 2-2.5 hours
  • Featured Analysts:
  • James McCloskey, Sr. Research Director, Security Practice
  • Gord Harrison, SVP of Research and Advisory
  • Now Playing: Academy: Security Management | Executive Brief

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Security Requirements

The Purpose

  • Demonstrate the value of implementing or improving security governance and management for the business.
  • Define the risk tolerance of the organization.
  • Objectively assess security pressure posture based on our list of comprehensive criteria.
  • Provide a security posture description that business stakeholders can easily digest. 

Key Benefits Achieved

  • Understand the value of information security governance.
  • Gain a better understanding of the organization’s risk tolerance and security pressure posture. 




Define goals/objectives for the workshop.


Demonstrate the value and challenges of security governance and management.

  • Identified security target state.

Define the risk tolerance.

  • Defined risk tolerance.

Define the security pressure posture.

  • Defined security pressure posture.

Module 2: Perform a Gap Analysis

The Purpose

  • Define the current security capabilities and maturity of the governance and management.
  • Develop a security target state based on the organization’s security risk profile and conduct a gap analysis. 

Key Benefits Achieved

  • Visualize the organization’s current security capabilities and maturity level.
  • Build the foundation for determining your security target state by understanding the organization’s security needs and scope. 




Assess current security capabilities and performance.

  • Determined current security maturity levels.

Define security target state.

  • Identified security target state.

Module 3: Develop Gap Initiatives

The Purpose

  • Develop gap initiatives to reach your security governance and management target state.
  • Assess the organization’s readiness to implement the gap initiatives and scale the initiatives to develop a feasible implementation plan. 

Key Benefits Achieved

  • Identified gap initiatives to augment the security program.
  • Understanding of the resources needed to implement all the initiatives. 




Identify security gaps.

  • Future state - current state gap analysis.

Build initiatives to bridge the gap.

  • Initiatives to address the gap.

Estimate the resources needed.

  • Estimated effort needed.

Prioritized gap initiatives.

  • Budget & resource readiness analysis.

Determine start time and accountability.

Module 4: Implement Gap Initiatives

The Purpose

  • Finalization and approval of the final roadmap and action plan.
  • Development of various governance and management deliverables to lay the foundation in place.
  • Development of effective metrics in order to measure the program. 

Key Benefits Achieved

  • Implementation timeline for the future.
  • Governance and management deliverables to act as a starting point.
  • Security metrics to implement. 




Finalize roadmap and action plan.

  • Finalized roadmap and action plan.

Build out governance and management deliverables.

  • Finalized governance and management deliverables, such as a charter, organizational structure, and HR security policy.

Develop security metrics.

  • Effective security metrics.

Search Code: 74084
Published: February 3, 2014
Last Revised: September 21, 2015