Three-Tiered Cyber Governance

Steering the Ship with Strategic, Operational, and Tactical Committees

Steering the Ship with Strategic, Operational, and Tactical Committees

The fast-paced evolution of cyber threats demands a robust and agile governance structure. Companies must adopt a holistic approach to cybersecurity that integrates strategic, operational, and tactical considerations. A three-tiered committee model offers a framework that can foster effective communication, decision-making, and execution of cyber operations.

Strategic Committee

At the apex of the structure is the Strategic Committee, typically comprising of top executives such as the CEO, CISO, CTO, and legal counsel. This committee steers the cybersecurity ship, defining the organization's cyber risk appetite and setting long-term security goals. The role of the Strategic Committee is pivotal in aligning cybersecurity initiatives with the organization's overall business strategy and ensuring that these initiatives receive the necessary resources and top-level support.

Operational Committee

The Operational Committee sits in the middle of this governance hierarchy. It comprises department heads, IT managers, and cybersecurity team leaders. This committee is responsible for translating strategic goals into actionable plans. Their tasks include risk management, incident response planning, compliance monitoring, and staff training. By working closely with the Strategic Committee, they ensure that the day-to-day security operations align with the company's overarching cyber strategy.

Tactical Committee

The Tactical Committee is at the frontline of cybersecurity operations. Composed of IT specialists, network administrators, and other technical staff, this committee implements the security plans developed by the Operational Committee. Their responsibilities include monitoring network activity, patching vulnerabilities, responding to incidents, and providing feedback on the effectiveness of the current security measures.

These three committees do not operate in silos. They maintain open lines of communication to ensure a cohesive approach to cybersecurity. Regular meetings between the committees enable the continuous flow of information up and down the hierarchy, facilitating swift responses to emerging threats and changes in the business environment.



Use Case: Contoso Ltd.

Consider the example of Contoso Ltd., a multinational corporation with a significant digital footprint. Following a series of cyberattacks, Contoso Ltd. decided to revamp its cybersecurity governance structure.

At the strategic level, the company's board of directors established a Cybersecurity Strategic Committee consisting of the CEO, CISO, CTO, and General Counsel. This committee set a risk tolerance level and defined the company's cybersecurity goals for the next five years. They also allocated a significant portion of the company's budget for cybersecurity initiatives.

At the operational level, Contoso Ltd. created a Cybersecurity Operational Committee composed of IT managers, the HR head, and department leaders. This committee was tasked with developing a comprehensive cyber risk management plan, including staff training programs, incident response protocols, and compliance monitoring systems.

Finally, at the tactical level, a Cybersecurity Tactical Committee was formed, including network administrators, security analysts, and IT support staff. This team was responsible for the on-the-ground execution of the security plans, including network monitoring, vulnerability patching, and incident response.

In addition to its implementation responsibilities, the Cybersecurity Tactical Committee was crucial in generating valuable metrics and data insights from their on-the-ground operations. Due to Contoso Ltd.'s global presence and varied business units, multiple tactical committees were maintained. Each produced specific metrics reflective of their operational environment and unique challenges.

These metrics flowed upwards to the Operational Committee, providing invaluable input to assess the effectiveness of existing strategies and initiatives. Furthermore, these insights reached the Strategic Committee, helping it understand the practical implications of their policies and the realities of the cybersecurity frontlines.

Contoso Ltd.'s three-tiered committee model, coupled with the effective flow of metrics, facilitated better communication, quicker decision-making, and more effective execution of cybersecurity measures. By ensuring that strategic, operational, and tactical considerations were all integrated into their cybersecurity approach, Contoso Ltd. was able to significantly improve its resilience to cyber threats.


In conclusion, a well-defined, three-tiered committee structure, combined with the effective flow of metrics, can significantly enhance an organization's cybersecurity posture. It ensures that decisions at every level are data-driven and based on real-world insights, fostering a proactive and robust cybersecurity environment.

The governance module is not a one-size-fits-all solution. It involves a comprehensive process that aims to thoroughly grasp the specific requirements, expectations, available resources, and operational feasibility of implementing such a model. Should you have any inquiries or wish to embark on a journey towards a more effective governance module, please do not hesitate to contact me or leave a message.
Rotem Bar Podcasts