Governance Is Navigation, Without It You’re Not in Control

In calm seas, a ship may drift and still seem to progress. But when storms come, when market winds shift, regulations tighten, technology evolves overnight, or attackers exploit unseen weaknesses, the illusion of motion disappears. What you need isn’t just speed. You need navigation.

In the modern enterprise, Corporate Governance may hold the helm, but Cyber Risk Governance is the dashboard, or more precisely, the Integrated Bridge System (IBS) for the ship. It’s the full suite of controls, diagnostics, performance readouts, and shared telemetry that tells leadership what direction they’re headed, how fast they’re going, what risks are emerging, how exposed they are, and whether the vessel is battle-ready.

If Cyber Risk Governance is the Integrated Bridge System (IBS), then failing to govern is like turning off your instruments mid-storm, and hoping the crew will figure it out along the way. When governance is absent or shallow, the impact is rarely immediate. That’s the danger. The enterprise continues moving, projects are launched, systems run, costs accumulate, but the risk accumulates invisibly until it breaks the surface.

Here’s what that looks like in practice:

  • Digital initiatives fail quietly, with no link between investment and outcome. Teams deliver tech, but no one can prove whether it advanced the business.
  • Cybersecurity is reactive. Threats are not seen until they explode. The board finds out after the headlines do.
  • Compliance becomes fire drills. Audits reveal control gaps no one knew existed. Remediation becomes the primary strategy.
  • The board gets surprised. Not because the risk wasn’t real, but because it wasn’t visible.

And in a downturn, when costs must be cut and scrutiny rises, the absence of governance becomes fatal:

  • Technology is viewed as overhead, not strategy, because there’s no evidence it delivers value.
  • Security and risk teams are seen as blockers, not enablers, because their insights were never translated into action.
  • Budgets get slashed blindly, with no understanding of which systems are critical and which are waste.

You can’t manage what you don’t see, and you can’t see it if you don’t measure.

In the absence of governance, trust in IT erodes. Not because the team isn’t working hard. It erodes because no one outside of IT can see what’s working, what’s risky, nor what’s worth saving.

And when trust breaks down, funding follows.

This paper focuses on Cyber Risk Governance as the discipline that enables organizations to make decisions they can defend, explain, and trust. It uses the Duty of Care Risk Analysis (DoCRA) standard to ground those decisions in business terms, evaluating harm, proportionality, and fairness across internal and external stakeholders. DoCRA acts as a universal translator, converting technical cyber risks into non-technical business impacts to the mission, the company objectives, and its obligations or harm that could be caused.

Figure 1 – Source: NIST.SP.800-37r2 RMF

DoCRA defines reasonable safeguards (controls) as those that:

  1. “Protect the interests of all parties who may be harmed”
  2. “Reduce risk to levels that don’t require further remedy”
  3. “Avoid creating safeguards more burdensome than the risks they mitigate”

 

When executed well, cyber risk governance built on DoCRA[1] principles ensures that decisions about risk are not only informed, but that they are legally justifiable, socially accountable, and strategically aligned.

Cyber risk governance is the connective tissue between technology and enterprise risk management. It’s how we ensure that digital decisions align with the organization’s risk appetite, regulatory obligations, strategic goals, and financial accountability.

Cyber risk governance provides the insights and mechanisms needed to align strategy, manage risk, optimize resources, and prove performance. It’s not a burden, it’s the instrument cluster of executive control, it’s how you demonstrate cyber-resilience, and the last thing that should be cut when times are tight. It is how you make informed decisions under pressure and have the evidence to prove it.

 

What Cyber Risk Governance Really Means, and Why It’s Missing

Ask a board member if the organization is secure, and someone will say “yes, we have a dashboard, policies, and a CISO. We even know how we compare to our peers and are catching up!” But that is not governance. That is instrumentation without understanding.

To illustrate the point, if you ask that same board member if the organizations uses sound accounting practices, their response will be much more informed. You’d likely hear something like, “Our accounting staff, including our controller and CFO, all use GAAP. Our accounting systems and budgeting system all enforce GAAP rules. We have that validated by periodic internal audits as well as quarterly audits by our auditing firm who are all using COSO frameworks. We detect variances in our reporting when they are over 1% and we take appropriate action at the source of the variance (whether it’s an IT control issue, a management error, or carelessness). In the past, those actions have included replacing staff and leadership, bringing the systems vendors to task, or, even once, changing our auditor who didn’t detect the cause of the variance for the prior three quarters, despite their insisting that their audit sampling adhered to IIA guidelines, which we argued, it did not.“

Similarly, board directors understand supply chain challenges and risks at manufacturing companies. They understand regulatory pressure on labeling and education at pharmaceuticals. And they can guess at the cause of increased inventory of luxury goods at retailers.

Mature cyber risk management is when the entire chain of command has the same degree of understanding of cyber risk as any other business function. Only then can the business coordinate their cybersecurity goals and make informed decisions.

Real cyber risk governance is not about having controls. It’s about enabling clear and timely decisions about risk throughout the organization.  It ensures the right people see the right signals, understand their relevance to the business, and act accordingly.  Good governance connects cyber activity to business value. It turns security from a siloed function into a shared responsibility.

But, in most companies, here is what actually happens:

  • The CISO reports to the CIO, and risk is filtered through a delivery-first mindset.
  • Cybersecurity is treated as a technical issue, not a business enabler or continuity imperative.
  • Risk registers exist but are often disconnected from business impacts.
  • Boards receive lagging indicators, often after the damage is done.
  • The organization is stuck in a maturity control mindset that is disconnected from business impacts.
  • Boards want to know what competitors are doing and think that is the standard of care (despite the fact that the competitors are being breached and fined).
  • Resource allocation is driven by fear and cyber news cycles, not strategy.

When governance is missing, risks are real but invisible. Controls may exist, but no one can explain why they were chosen, what they protect, or whether they are sufficient. Risk decisions get made in silos, often without clear ownership or coordination.

This is where DoCRA changes the conversation. It is the universal translator of technical risks into business impacts.  It provides a framework to evaluate which risks matter most, which controls are reasonable, and a definition of acceptable risk that all interested parties can understand. It shifts the focus from theoretical to defensible judgment.

DoCRA forces better questions:

  • As we operate our business, what harm could we cause, and to whom?
  • What is the magnitude of that harm?
  • Would our clients believe the risk is worth it?
  • What reasonable controls can be implemented to reduce risk to an acceptable level?
  • Are those controls less burdensome than the weighted impact of the risk we are treating?
  • Do we have evidence to show our decision making?

Cyber risk governance is not about eliminating risk. It is about demonstrating that risks were understood, evaluated, and addressed in a way that holds up to scrutiny.

Most organizations do not fail because they ignore security. They fail because no one ever framed security in terms the business could own. Without governance, there is activity, but no accountability. There is data, but no decision-making. There are reports, but no story.

When cyber risk governance is absent, no one is truly steering.

 

Good Governance

Good governance doesn’t mean you’ll never be hit by a cyberattack, or that every project will land on time. But it does mean you’ll know when something’s going wrong, and you’ll have the authority, clarity, and shared understanding to respond effectively.

The point of Cyber Risk Governance isn’t to prevent risk. It’s to see it coming, understand its impact, and act with speed and purpose, before it steers the enterprise somewhere you didn’t intend it to go. The goal is not to predict the future. The goal is to shape it with the right data, the right questions, and the right people at the helm informed with real time key metrics and threat intelligence.

 

“Are we secure?”

It’s the classic CFO question. Not because it’s wrong, but because it reveals the gap. The real question is:

“Are we investing in resilience, or just spending on complexity?”

The CFO sees IT as a cost center with unclear value, and a risk vector with unclear ownership. Without governance, they’re left relying on gut checks and PowerPoint.

Cyber Risk Governance gives finance leaders what they need:

  • Visibility into where the money is going
  • Assurance that controls are working
  • Confidence that risks are monitored and aligned to appetite
  • Proof that cybersecurity isn’t just overhead, it’s business protection

If finance can’t see it, they can’t support it. And if they can’t support it, it won’t get funded when it matters most.

 

Make It Work. Governance That Delivers Business Results

Fixing Cyber risk governance doesn’t start with a framework. It starts with the questions.

  • What are we spending?
  • What are we getting for it?
  • What’s at risk?
  • Who’s accountable?
  • Are we “secure”?
  • Are we aligned?

These aren’t technology questions. They’re business questions. And when an organization can’t answer them quickly and confidently, governance is broken.

Real Cyber Risk Governance starts by standardizing the questions.
Then it builds the instrumentation to answer them, consistently, transparently, and in time to act.

Governance isn’t about slowing down, or “catching someone at something”. Audit findings are a signal, not the goal. It’s about steering smarter. It connects IT activity to business outcomes, and it creates a common language for visibility, risk, and accountability.

 

“Reasonable” Isn’t a Guess: How Courts Define It

When regulators, attorneys, and courts talk about “reasonable cybersecurity controls,” they are applying legal standards grounded in cost-benefit analysis, balancing tests, and foreseeability of harm. The Duty of Care Risk Analysis (DoCRA) standard aligns directly with these expectations by defining reasonable safeguards as those that:

  1. Protect the interests of all parties who may be harmed.
  2. Reduce risk to levels that don’t require further remedy.
  3. Avoid creating safeguards more burdensome than the risks they mitigate.

In practice, this means reasonable controls are those that are legally defensible, operationally proportional, and socially fair. They balance the organization’s mission, obligations, and risks without imposing the excessive burdens. This is the standard that attorneys and judges use when evaluating cybersecurity failures, and the standard boards will be measured against in litigation and enforcement.

By embedding DoCRA principles into Cyber Risk Governance, organizations translate legal and regulatory expectations into operational practice, equipping leadership with decisions they can defend in both the boardroom and the courtroom.

 

Here’s what practical, results-oriented cyber risk governance looks like in action:

  1. Visibility: Everyone Sees the Same Dashboard
  • The CEO, CIO, CISO, CFO, and CRO all get a shared view of IT value, risk, and performance.
  • Metrics are tied to business outcomes, not just system uptime.
  • Risk indicators and control status are integrated, not scattered across systems or spreadsheets.
  1. Accountability: The Right People Own the Right Things
  • The CISO reports independently of the CIO, to the CEO, or has direct board access when needed.
  • IT initiatives have clear business sponsors who are accountable for results.
  • Risk isn’t just logged. It’s owned, escalated, and addressed.
  • This is not limited to project risk.
  1. Alignment: Strategy, Risk, and Spend Stay in Harmony
  • Every new IT-enabled project or initiative is mapped to a strategic objective, a risk profile, and a budget justification.
  • Security, architecture, finance, and delivery are brought in at the start, not asked to fix things later.
  • Governance helps you prioritize, not just audit.
  1. Adaptation: Risk Posture Changes as the World Changes
  • Controls and thresholds are reviewed quarterly or continuously, not annually.
  • Threat intelligence, vulnerability remediations, audit findings, service disruptions, and other “Problems” in ITIL terms, flow into strategy and spend decisions.
  • Efforts to address risk through technical debt should be proportional to lean-forward activities.
  • Governance enables business agility without sacrificing oversight.

You don’t need perfection. You need instrumentation.
You need a bridge crew that sees the same ocean and knows how to steer through it together.

 

Governance Is How You Lead in a Digital World

In a world where every business is a digital business, governance is no longer a technical detail, it’s a leadership responsibility.

You wouldn’t sail a ship without a bridge crew that can see the radar, monitor the engines, and adjust course as conditions change. Yet many organizations run their digital operations blindly, hoping that fragmented data, delayed reports, and siloed teams will somehow add up to control.

They won’t.

Cyber risk governance is the Integrated Bridge System (IBS) of the modern enterprise, and DoCRA is the universal translator of technical to business risk. Together, they connect strategy, risk, finance, technology, and compliance into a shared, actionable view of reality. It gives leadership the tools to steer with confidence, even when the weather turns.

Governance isn’t a luxury. It’s not a regulatory checkbox.
It’s the foundation of digital resilience, trust, operational agility, and sustainable success.

When times get tough, the instinct is often to cut governance, to shrink data gathering, delay risk assessments, and reduce oversight. But that’s like turning off the navigation system when the storm hits. You don’t need governance less in hard times. You need better governance to protect your mission, prioritize resources, and lead through the uncertainty.

We can’t manage what we can’t see or understand.

 

 

cyber governance

 

 

Additional Reference

Duty of Care Risk Analysis Standards body. DOCRA – DOCRA

The Sedona Conference (Commentary on a Reasonable Security Test, Feb 2021: The Sedona Conference®

Reasonable Risk SaaS (duty of care risk analysis automation): Home – Reasonable Risk

Duty of Care Risk Analysis inventors: Cyber Security Services & Risk Management | Reasonable Security

CIS RAM v2.1 Risk Method based on the Duty of Care Risk Analysis standard: CIS Risk Assessment Method (RAM) v2.1 for CIS Controls v8

 

Works Cited

AuditBoard. (2022). Enterprise Risk Management: Everything You Need to Know. Retrieved from AuditBoard: https://www.auditboard.com/blog/enterprise-risk-management/

National Institute for Standards in Technology. (2018, December). Risk Management Framework for. Retrieved from NIST Computer Security Resource Center (CSRC): https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf

The DoCRA Council. (2021, June). Duty of Care Risk Analysis Standard. Retrieved from DoCRA: http://www.docra.org/wp-content/uploads/2021/06/Duty-of-Care-Risk-Analysis-Standard-Draft-20200907.pdf

Cronin, C. (2020). “What lawyers mean by ‘reasonable’ cyber security controls,” Cyber Security: A Peer-Reviewed Journal, Henry Stewart Publications, vol. 3(4), pages 315-329, June. https://ideas.repec.org/a/aza/csj000/y2020v3i4p315-329.htm

[1] www.docra.org