In an era where digital transformation is accelerating across industries, the importance of robust IT governance has never been more critical. As organisations become increasingly reliant on technology, the risks associated with cyber threats, data breaches, and operational disruptions continue to rise. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) stands out as a globally recognised model that provides structured guidance for managing cybersecurity risks, making it an essential tool for organisations aiming to build resilience and trust in the digital age. For Philippine enterprises, embracing IT governance through NIST or other frameworks is not just a technical necessity—it is a strategic imperative.
Technology: The backbone of governance
The NIST Cybersecurity Framework, recently updated to version 2.0, introduces significant enhancements that reflect the evolving threat landscape. Notably, the framework now includes “Govern” as a core function, emphasising the alignment of cybersecurity strategies with organisational goals (NIST Cybersecurity Framework: Key Changes to Know). This shift underscores the need for governance structures that integrate risk management, policy oversight, and supply chain accountability. NIST CSF 2.0 is designed to be scalable and sector-neutral, making it applicable to organisations of all sizes and industries (https://www.techrepublic.com/article/nist-cybersecurity-framework-the-smart-persons-guide/).
It provides a common language for cybersecurity, enabling enterprises to standardise practices, assess risks, and implement controls effectively. The framework’s six core functions—Identify, Protect, Detect, Respond, Recover, and Govern—offer a holistic approach to cybersecurity, ensuring that technical measures are supported by strategic oversight.
The urgency of adopting such frameworks is underscored by the alarming rise in cyber incidents. According to Check Point Research, global cyberattacks surged by 47% in the first quarter of 2025, with ransomware evolving into a full-fledged business model (Q1 2025 Global Cyber Attack Report from Check Point Software: An Almost 50% Surge in Cyber Threats Worldwide, with a Rise of 126% in Ransomware Attacks - Check Point Blog). This commoditisation of cybercrime has lowered the barrier to entry for attackers, making even small and mid-sized businesses vulnerable. In this context, frameworks like NIST are not optional—they are essential tools for resilience.
Process: Beyond technology alone
While technology plays a critical role, it is not sufficient on its own. Cybersecurity must be treated as a business-wide undertaking that integrates processes, policies, and strategic planning. As Chirag Shah, Global Information Security Officer of Model N, Inc., aptly notes in Forbes, “Cybersecurity has become a pivotal business imperative, transcending mere technical challenges” (Cybersecurity Framework: How To Build and Optimize Programs | Gartner). Organisations that view cybersecurity solely as an IT issue risk overlooking its broader impact on reputation, compliance, and operational continuity.
Effective IT governance requires well-documented policies that address all key aspects of business operations—from data protection and access control to incident response and vendor management. These policies must be reviewed at least annually or as needed, ensuring alignment with both organisational practices and industry standards such as NIST CSF. The integration of governance into cybersecurity strategy enables organisations to proactively manage risks, rather than reactively respond to incidents.
Moreover, the process of policy development and review should be inclusive, involving cross-functional stakeholders to ensure that cybersecurity measures reflect the realities of each business unit. This collaborative approach fosters accountability and ensures that policies are not only technically sound but also operationally feasible.
People: The human element of security
Technology and process are only as effective as the people who implement and follow them. A strong cybersecurity posture depends on a culture of awareness and vigilance across all levels of the organisation. Employees must be educated about organisational policies and trained to recognise and respond to potential threats. This alignment with governance frameworks like NIST ensures that individuals understand their roles in maintaining security.
The rise in targeted attacks, such as phishing and social engineering, highlights the need for continuous education and engagement. Organisations must foster a culture where cybersecurity is everyone’s responsibility—not just the domain of IT professionals. Regular training, simulated exercises, and clear communication of policies are vital components of this effort.
Furthermore, leadership must set the tone by prioritising cybersecurity in strategic discussions and resource allocation. When executives champion IT governance, it signals its importance to the entire organisation and encourages adherence to best practices.
Securing the future through governance
In an era where cyber threats are not just probable but inevitable, IT governance anchored in frameworks like NIST is a cornerstone of organisational resilience. By integrating technology, process, and people into a unified strategy, enterprises can mitigate risks, protect assets, and ensure continuity.
For Philippine organisations, adopting NIST and similar frameworks is more than compliance—it is a commitment to excellence and security. As the digital landscape continues to evolve, those who invest in governance today will be better equipped to navigate tomorrow’s challenges. With structured frameworks, vigilant processes, and empowered people, businesses can transform cybersecurity from a reactive burden into a proactive enabler of growth and trust.
As published in The Manila Times, dated 15 October 2025
