Every cybersecurity governance program I have seen succeed started with the same question: what risk is this business willing to accept?

It sounds simple. In practice, answering it forces alignment across executive leadership, legal, operations, and IT in ways that no technology deployment ever will. Getting that answer and documenting it clearly is the foundation on which everything else is built.

This post sets out how I approach building an enterprise cybersecurity governance program from the ground up. It is based on experience managing large-scale programs in regulated environments across Germany and the DACH region, working within frameworks including NIS2, DORA, GDPR, and ISO 27001.

Why governance fails before it starts

The most common reason enterprise security governance programs fail is not a lack of tools, policies, or budget. It is treating cybersecurity as an IT project rather than an enterprise risk management function.

When security sits entirely within IT, the decisions that matter most are about risk appetite, control ownership, and acceptable exposure which get made at the wrong level by the wrong people. Business leaders remain detached from security outcomes. Risk accumulates quietly. And when something goes wrong, accountability is unclear.

NIST CSF 2.0 addresses this directly. The updated framework places Govern at the centre, not as a supporting function, but as the operating context for everything else. It covers organisational context, risk strategy, roles and responsibilities, policy, and oversight. That is not a coincidence. It reflects how mature programs work.

Three things to define before anything else

Before you build a governance structure, write a policy, or select a framework, three questions must have clear answers:

1.      Who owns risk decisions? Not who manages security tools, but who is accountable when a risk materialises. This requires business ownership, not just IT accountability.

2.     How do issues escalate? A governance program without a clear escalation path is a programme that will stall during its first serious incident. Define it before you need it.

3.     What does the board need to see? Executive reporting should enable decisions, not just report status. Define what information leaders need, at what frequency, and in what format then design governance to produce exactly that.

These three elements are decision authority, escalation structure, and reporting design which form the governance skeleton. Everything else connects to them.

The build sequence for a cybersecurity governance program that works

Once those foundations are in place, the build sequence for an enterprise governance program follows a logical order. Skipping steps or reversing the sequence is one of the fastest ways to create a program that looks structured on paper but does not function under pressure.

Step 1: Establish business context and regulatory obligations

Start by mapping the regulatory landscape relevant to the organisation. For most European enterprises in 2026, this means NIS2, DORA (for financial services), GDPR, and ISO 27001 as a baseline management system. Sector-specific obligations like healthcare, critical infrastructure, financial services layer on top.

The output is not a compliance checklist. It is a clear articulation of the regulatory risk environment the organisation operates in, and what obligations flow from that environment into the governance structure.

Step 2: Define risk appetite at executive level

Risk appetite is the most important governance document in your programme and the one most organisations either skip or produce in a form that is too vague to be useful.

A useful risk appetite statement defines specific thresholds: what level of disruption is acceptable, what data exposure the organisation is unwilling to tolerate, and how those thresholds translate into control requirements. It should be signed off at board or executive level and not produced by the security team and filed away.

Step 3: Assign control ownership across business functions

Security controls are only effective when someone outside the security team is accountable for implementing and maintaining them. Governance programs that assign ownership entirely to the CISO or security function create a single point of failure and a false sense of accountability.

Control ownership should be mapped to business functions ( finance, HR, operations, supply chain ) with security acting as the oversight and advisory layer. This is particularly important in regulated environments where NIS2 and DORA place explicit obligations on business leadership, not just IT.

Step 4: Build a small set of decision-enabling metrics

This is where most governance programs produce too much and communicate too little. The instinct to demonstrate value through volume like long dashboards, extensive metric sets, detailed technical reports results in reporting that looks comprehensive but fails to drive decisions.

Ask one question for every metric you propose: does this help a leader make a risk decision? If the answer is no, remove it. A governance dashboard with five meaningful metrics is more effective than a 40-slide deck that requires a technical interpreter.

Good metrics for executive governance typically include: critical control exceptions and remediation status, risk acceptance decisions outstanding, regulatory obligation status, incident trend data, and third-party risk posture.

Step 5: Set a review cadence for exceptions, incidents, and remediation

Governance without rhythm is not governance, it is documentation. A functioning programme requires a defined operating rhythm: regular review of open exceptions, escalation paths for unresolved issues, incident post-mortem processes, and formal remediation tracking.

In regulated environments, this cadence also has to satisfy audit and regulatory requirements. Building the review cycle around NIS2 or DORA obligations rather than treating them as separate activities reduces duplication and keeps governance evidence production manageable.

Which framework to use

The most common question I receive on governance program design is which framework to adopt. The honest answer is that the framework matters less than how it is applied.

That said, for most European enterprises I find NIST CSF 2.0 most useful as the operating model. It is comprehensive, risk-based, and the Govern function it now leads with maps well to how executive stakeholders think about security.

Where formalisation is required particularly when ISO 27001 certification is a customer or regulatory expectation. I layer ISO 27001 as the management system on top of the NIST CSF operating model. The two complement each other well: NIST provides the risk and operational structure, ISO 27001 provides the auditable management system evidence.

For German enterprises specifically, BSI IT-Grundschutz is also worth understanding. It is used widely in public sector and critical infrastructure contexts, and familiarity with it is increasingly expected by German enterprise security teams.

What good governance actually looks like

Governance is successful when leaders can make consistent, risk-based decisions under pressure without needing to convene an emergency working group or ask the security team to interpret the data.

In practice, this means:

•        Business leaders know what they own and what decisions they are authorised to make

•        Risk decisions are documented and traceable

•        Escalation paths are tested and understood

•        Reporting tells a coherent risk story, not a list of technical findings

•        Exceptions are managed, not ignored

When an incident occurs  and it will then a well-governed organisation responds coherently. Decisions get made. Communication happens. Recovery is managed. That outcome is the measure of whether governance works, not the thickness of the policy library.

Where to start

If you are starting from scratch, resist the temptation to begin with the policy library or the framework mapping exercise. Start with the conversation that is hardest to have: who in this organisation is accountable for cyber risk, and what level of risk have they agreed to accept?

Get that answer documented. Then build the governance structure around it.

Everything else the frameworks, the metrics, the review cadence will be far more effective once the accountability foundation is in place.