In cybersecurity, success isn’t measured solely by technical safeguards, it’s also about how well those controls reflect the expectations of the people who depend on your organization. Whether it’s customers expecting privacy, regulators demanding compliance, or employees relying on system reliability, these expectations form a key part of risk management.
GV.OC-02, a subcategory within the Organizational Context (GV.OC) category of NIST CSF 2.0, emphasizes this principle:
“Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are considered.”
This subcategory calls for intentional, ongoing engagement with stakeholders and ensures their voices are factored into cybersecurity policies, decisions, and metrics. It’s not just about knowing who your stakeholders are, it’s about integrating what they need into your cybersecurity program.
Why It Matters
Failing to understand and address stakeholder expectations can lead to:
Compliance failures, lawsuits, or fines
Loss of customer trust
Operational misalignment, where cybersecurity controls don’t support actual business goals
Missed opportunities to improve governance or resilience based on feedback
This subcategory is about building trust and alignment, ensuring that cybersecurity isn’t just technically sound, but socially and strategically relevant.
| Enterprise | Product Security | Information Security – Corporate | Information Technology |
|---|---|---|---|
| Have stakeholder cybersecurity needs (e.g., privacy, transparency) been formally documented? | Are customer security expectations documented (e.g., SLAs, certifications)? | Are compliance requirements from internal and external stakeholders reflected in security programs? | Do IT systems account for customer and partner expectations (e.g., uptime, data security)? |
| Are internal stakeholders (e.g., Board, HR, Legal) included in cybersecurity governance and risk decisions? | Do product teams gather feedback on security features or concerns? | Are stakeholder groups included in awareness campaigns and tabletop exercises? | Are system configurations and controls aligned with regulatory audit requirements? |
| Are there mechanisms in place to routinely update and review stakeholder expectations? | Is threat modeling driven by mission-critical risks?Is there a structured way to adapt product security based on market or customer shifts (e.g., new laws, demand trends)? | Are cybersecurity communications tailored to meet stakeholder expectations? | Are vendor risk and third-party requirements part of IT planning and controls? |
| Tier Level | Process Expectation | Description |
|---|---|---|
| Tier 1 – Initial | Policy does not exist or is not approved | Little to no understanding of stakeholder cybersecurity needs; risk decisions made in silos. |
| Tier 2 – Developing | Policy exists but hasn’t been reviewed in 2+ years | Stakeholders are acknowledged, but expectations are inconsistently captured or reflected in decisions. |
| Tier 3 – Established | Formally approved policy; <5% exceptions | Stakeholder needs are captured formally and incorporated into most security risk decisions. |
| Tier 4 – Advanced | Formally approved; <3% exceptions | Stakeholder expectations are used as a strategic input across all planning layers; feedback cycles exist. |
| Tier 5 – Optimizing | Formally approved; <0.5% exceptions | Stakeholder needs continuously guide program improvements and are integrated with performance metrics and reporting. |
From Good to Great: What Tier 5 Looks Like
In a Tier 5 organization, cybersecurity isn’t just technically strong, it’s relationally aligned. Stakeholder expectations aren’t just acknowledged; they are:
Integrated into KPIs, SLAs, and roadmaps
Used to inform strategic investments
Reviewed through real-time feedback mechanisms
Actively shaping incident response planning, training, and product security design
This level of maturity reflects a culture where cybersecurity is truly customer and stakeholder driven, resulting in higher trust, better risk decisions, and stronger business outcomes.
Final Thoughts on GV.OC-02
Cybersecurity isn’t just about protecting systems, it’s about protecting relationships. Whether it’s a customer trusting your login page, a regulator reviewing your audit, or an employee relying on uptime, every interaction is an expression of trust.
GV.OC-02 reminds us that cybersecurity isn’t just about what we think is important, it’s about what they need us to protect.
Next Up: GV.OC-03 – Understanding Your Dependencies and Critical Infrastructure.