Last updated: April 29, 2026
The Bengaluru BFSI CISO who took over in March 2024 inherited a security programme with no documented charter, a board that hadn’t reviewed cyber posture in 18 months, and three competing committees making conflicting decisions. Within 12 months she had built a governance structure that survived an RBI inspection without findings on governance. This module walks through how she did it — the theory, the structure, and the practical artefacts.
What governance actually is
Security governance is the system that decides who decides — what gets done, who is accountable, what budget, what tolerance for risk, what reporting cadence. Without it, security becomes whatever the most-recent loud voice demands. With it, security is a deliberate programme aligned to business risk.
The four governance components every Indian regulated entity needs:
- Charter — written, board-approved statement of intent
- Roles & reporting lines — who reports to whom, with what independence
- Committees — Information Security Committee (operational), board-level oversight
- Cadence — quarterly reviews, annual strategy refresh, monthly metrics
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.