In a hybrid governance structure, the authority, responsibility, and decision making power are distributed between the parent and the subordinate organizations. The central body establishes the policies, standards, guidelines, procedures, and processes for ensuring enterprise-wide involvement in the portion of the risk management and cybersecurity strategies and decisions affecting the entire organization (e.g., decisions related to shared infrastructure or common security services). Subordinate organizations, in a similar manner, establish appropriate policies, standards, guidelines, procedures, and processes for ensuring their involvement in the portion of risk management and cybersecurity strategies and decisions that are specific to their mission and business process needs and operational environments.
A hybrid approach to governance requires strong, well-informed leadership for the organization as a whole and for subordinate organizations, and provides consistency throughout the organization for those aspects of risk and cybersecurity that affect the entire organization.
- Electricity Subsector Cybersecurity Risk Management Process, App. D, at 69.