Implement Whole-of-Government Information Security Governance

Rethinking how governments provide cybersecurity services at all levels, moving toward a whole-of-government integrated model.

EXECUTIVE BRIEF

Analyst Perspective

Information security is a collective responsibility, but, without alignment, even the best efforts fall short.

It is easy to think of information security as a technical problem, but, at its core, it is a people and coordination problem. Across governments, every agency is doing its part to protect systems and data. Without shared governance, however, these efforts risk becoming fragmented.

The reality is that threats move faster than individual departments can respond. Cyber risks do not stop at jurisdictional lines, but, too often, accountability does. Without clear roles, common goals, and open communication, agencies operate in silos, leading to blind spots and missed opportunities to strengthen defenses together.

There needs to be a transition away from thinking of information security as something “owned” by one team or one level of government. Instead, it should be seen as a shared public trust. When agencies align their policies, map out clear responsibilities, and monitor risks as a collective, they are not only protecting systems but also building public confidence in their ability to keep services running, even under pressure.

Moving toward a whole-of-government model is not just a nice-to-have. It is essential. It helps close the gaps, eliminate duplicated efforts, and make the most of limited resources. Most importantly, it creates a united front that is better prepared for the evolving threat landscape.

Vidhi Trivedi
Research Analyst, Government Industry
Info-Tech Research Group

Executive Summary

Your Challenge

Increased risk caused by fragmented information security governance: Disconnected policies and siloed accountability expose shared systems to advanced cyberthreats across federal, state/provincial, and municipal levels.

Protection of interconnected services and public trust: Without unified oversight, agencies struggle to secure sensitive data, respond effectively to incidents, and maintain public confidence.

Creation of coordinated cyber resilience: A unified governance model is essential to reduce duplication, close risk gaps, and strengthen defense across all government levels.

Common Obstacles

Siloed decision-making and limited visibility: Agencies operate under different mandates, with smaller agencies lacking visibility into shared risks.

Fragmented funding and investments: Disjointed funding models limit shared information security initiatives and economies of scale.

No shared frameworks for governance: Without joint committees, common policies, and shared metrics, agencies struggle to coordinate their responses and build consistent maturity.

Info-Tech’s Approach

Establish a whole-of-government information security governance model through three key steps:

• Define shared accountabilities. Clarify roles and responsibilities across jurisdictions for unified risk management and response.
• Build collaborative structures. Create multi-agency committees, harmonize policies, and oversee shared data and systems.
• Enable shared visibility and improvement. Use joint dashboards and common metrics to track maturity and respond to evolving threats.

Info-Tech Insight

Cyber resilience is a collective effort. The strength of government information security lies not in isolated excellence, but in shared accountability and coordinated action. A whole-of-government approach transforms fragmented efforts into a unified defense – closing gaps, maximizing resources, and building trust in public services.

Terminology Note: The term information security is used as the overarching term, encompassing the protection of both physical and digital information assets. The term cybersecurity, focused specifically on digital systems and networks, is considered a subset of information security. However, the terms are used interchangeably throughout this document, reflecting common practice in government and industry when discussing digital security capabilities.

Your Challenge

Governments face rising cyberthreats, but fragmented plans leave them exposed.

• Governments are fragmented in their response to rising cyberthreats. Cyberthreats are growing more sophisticated, but agencies remain siloed. Without unified oversight, agencies struggle to defend shared systems, increasing vulnerabilities across the public sector ecosystem.
• Paper plans fall short in real-world attacks. Many agencies have governance models and response plans on paper, but the plans often fail in practice. Gaps in coordination and decision-making lead to delayed responses, confusion, and operational losses during actual incidents.
• Cyberattacks trigger cascading damage. A breach in one agency can rapidly escalate, causing network outages, data theft, service disruptions, reputational harm, and legal consequences across interconnected government systems.
• Resources and visibility are limited. Time, funding, and skilled resources are stretched thin. Smaller agencies have limited knowledge of shared risks, and disjointed investments make it difficult to scale cybersecurity capabilities consistently.

Common Obstacles

Fragmented governance leaves governments unaware of shared risks and too slow to stop escalating attacks.

• Siloed decision-making delays action. Without shared frameworks and clear cross-jurisdiction roles, agencies struggle to coordinate response efforts, allowing threats to escalate unchecked.
• Disjointed funding limits shared resilience. Separate budgets and fragmented investments prevent agencies from co-investing in critical cybersecurity infrastructure, leaving gaps in protection.
• Lack of shared visibility leads to cascading risk. Because agencies often lack insight into interdependent systems, a breach in one system can trigger widespread outages, data loss, and reputational harm across others.

A Balancing Act

"Finding the balance between leveraging this new technology and using it securely is a challenge for agencies. You want to boost innovation and efficiency, but you also need to stay compliant. Other concerns, such as privacy, ethics, and data quality, add to this balancing act." (Source: Pluralsight, 2023.)

Disruption to IT and Agency Operations

“In the federal government, security challenges are exacerbated because of scale, organizational silos, technical debt and procedural red tape. That means it can take them some time to address vulnerabilities. Also, they have a wide attack surface that makes it harder to defend against attacks.” (Source: Sebastian Szykier, qtd. in FedTech, 2023.)

Info-Tech’s Approach

Build a unified cybersecurity governance model across all levels of government.

• Clarify shared responsibilities. Define clear roles and accountability across federal, state/provincial, and municipal levels to enable faster, more coordinated risk management and incident response.
• Establish collaborative oversight. Create cross-agency steering committees and harmonized policy frameworks to align investments, manage shared risks, and close visibility gaps.
• Measure and improve collective resilience. Use shared dashboards, common metrics, and joint reporting to track progress, ensure accountability, and strengthen cybersecurity maturity over time.

Establish effective whole-of-government cybersecurity governance and management

The key is in stakeholder interactions, not policy and process.

Member Problem: Members face fragmented cybersecurity efforts, with siloed policies and funding limiting coordinated risk management. Without unified governance, members struggle to close gaps and protect public trust.

Effective whole-of-government cybersecurity governance depends on clear accountability and coordination across agencies. When roles, risks, and responsibilities are aligned, governments can strengthen shared defenses. Without this alignment, siloed efforts and fragmented decisions undermine cybersecurity resilience and erode public trust.

Why cybersecurity governance is critical

Cybersecurity governance provides the strategic foundation for protecting public sector digital infrastructure. It clarifies who is responsible, establishes decision-making authority, and aligns risk tolerances and policies across agencies. In the absence of governance, cybersecurity efforts remain siloed and uncoordinated, leaving gaps that threaten public trust and system integrity.

Governance does not implement controls – it empowers agencies to move in the same direction by defining roles, structures, and shared goals.

Whole-of-government cybersecurity governance

Establish effective whole-of-government cybersecurity governance and management

The key is in stakeholder interactions, not policy and process.

Member Problem: Members face fragmented cybersecurity efforts, with siloed policies and funding limiting coordinated risk management. Without unified governance, members struggle to close gaps and protect public trust.

Effective whole-of-government cybersecurity governance depends on clear accountability and coordination across agencies. When roles, risks, and responsibilities are aligned, governments can strengthen shared defenses. Without this alignment, siloed efforts and fragmented decisions undermine cybersecurity resilience and erode public trust.

Why cybersecurity management is critical

Governance sets the direction, but management brings it to life. Cybersecurity management focuses on the execution of strategies, the delivery of secure services, and the measurement of cyber performance. It ensures that policies turn into processes and that systems remain resilient under evolving threats.

Without strong management, even the best governance will fail to create real-world impact. Management ensures that cross-government security operations are aligned, agile, and continuously improving.

Whole-of-government cybersecurity management

• Align, Plan, and Organize

  Plan and execute cybersecurity strategies across organizational units.

• Build, Acquire, and Implement

  Operationalize governance by embedding security into shared IT and service delivery.

• Deliver, Service, and Support

  Provide secure services, enable agency functions, and ensure cross-jurisdictional IT performance.

• Monitor, Evaluate, and Assess

  Track maturity, effectiveness, and alignment with governance using KPIs and shared dashboards.

Establish effective whole-of-government cybersecurity governance and management

The key is in stakeholder interactions, not policy and process.

Member Problem: Members face fragmented cybersecurity efforts, with siloed policies and funding limiting coordinated risk management. Without unified governance, members struggle to close gaps and protect public trust.

Effective whole-of-government cybersecurity governance depends on clear accountability and coordination across agencies. When roles, risks, and responsibilities are aligned, governments can strengthen shared defenses. Without this alignment, siloed efforts and fragmented decisions undermine cybersecurity resilience and erode public trust.

How governance and management are related and why this matters

In a whole-of-government cybersecurity model, governance and management are two sides of the same coin. Governance provides the strategic oversight – it defines who is responsible, what policies must be aligned, and how risks are shared across agencies. Management, in turn, defines how those strategic decisions are put into action through secure service delivery, monitoring, and operational execution.

When these functions are aligned,

• Governance sets the “what” and “why” for policies, structures, and responsibilities.
• Management delivers the “how” and “when” for day-to-day services, system oversight, and improvements.

In fragmented governments, cybersecurity often falters due to siloed operations. A whole-of-government approach depends on this tight coordination between direction and execution. Governance without management is theory. Management without governance is chaos. Together, they ensure that cybersecurity is not just compliant, but also cohesive, adaptive, and resilient across all levels of government.

Info-Tech’s Methodology for Security Governance and Management