To manage cybersecurity risks, a clear understanding of the organization’s business drivers and security considerations specific to its use of technology is required.

​

• Governance: Ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization's business goals.

• ​

• Risk: Making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization's business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization's enterprise risk management function.

• ​

• Compliance: Making sure that organizational activities are operated in a way that meets the laws and regulations impacting those systems. In the IT context, this means making sure that IT systems, and the data contained in those systems, are used and secured properly.