We all know NIST CyberSecurity Framework (CSF) is adding anew 'Function' for Cybersecurity called 'Govern'. The framework illustrates thecharacteristics of Cyber Risk management (CRM) versus governance (CRG) forvarious Tiers of maturity. It, however, skips defining or differentiating between Cyber Risk Management and Governance. So the document is harder to parse.
The document rightly places 'Governance' as the first function, which should ideally precede adoption. However, the reality (like incases of AI) is the reverse a lot of times (first adoption and then governanceframeworks).
They key questions that arise are:
- Does Governance incorporate Management orthe other way around? What are the boundaries?
- How can we have Governance be an enabler forbusiness rather than have a negative connotation?
- Can governance precede adoption in a dynamic world? Governance currently seems more process based.
The industry uses terms Cyber Security Governance and management interchangeably and sometimes differently based on contexts. I couldnot find a document that would properly define the differences, so attempted todefine the same, while looking at how the industry already uses the terms in below contexts:
- Management vs
- Identity Management vs Identity Governance
Share This
