Gartner Research

Security Governance for the Enterprise

Published: 31 March 2005

ID: G00203124

Analyst(s): Fred Cohen


There are many approaches to building an effective enterprise-level information protection program, but only a few are in widespread use today. For the enterprise not already highly developed in this area or the new chief information security officer (CISO), this guide to building and running an effective security governance program is key to success.

Table Of Contents



  • What Is the Goal of Governance?
  • Organizational Structures
  • Rules and Rule Sources
  • Power and Influence
  • Groups in the IPG Process
  • The CISO Position
  • Funding and Accounting
  • Enforcement
  • The Enterprise Security Control System
    • Metrics
  • Recommendations

The Details

  • What Are the Aspects of Governance?
    • Structures
    • What Are the Rules?
    • Power and Influence
    • Funding
    • Enforcement Mechanisms
    • Appeals Processes and Disputes
    • The Overall Control System
  • Basic Structures and Fitting Security In
    • Enterprise Structures and How They Fit In
    • The Theory of Organizational Groups
    • What Groups Are Needed
  • Who Is in Charge and Whom Do They Work For?
    • Comparing the CISO to the CFO
    • The CISO's Team
    • The Structure of the Groups
    • Meetings and Groups the CISO Chairs or Operates
    • Should the CISO Work for the CIO or Others?
    • Should the CISO, CPO, CSO, or Others Be Combined?
  • Budgets and Situations
  • Enforcement and Appeals Processes
    • Top Management Buy-In and Support
    • Power and Influence
    • Other Issues
  • The Control System
    • Metrics
  • How Long Will It Take?



©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.