As cyberthreats become increasingly frequent and complex across private and public sectors, the hard truth is that we still do not have a reliable model for governments and private enterprises to collaborate and reduce cyberrisks. In August 2025, a cyberattack forced Nevada’s state offices to close for several days, disrupting websites and phone systems across multiple agencies, exposing coordination gaps between government and private technology partners. Challenges such as inconsistent information sharing, vague legal guidelines, conflicting policies and technical issues related to data use, data security and privacy are some of the factors that have contributed to the friction between policymakers and business leaders. However, a flexible, yet structured framework to support cross-sector collaboration remains to be seen. This raises an important question – can COBIT be adapted to drive private-public sector collaboration?
By design, COBIT is more than just a set of control objectives with defined process domains, roles, performance metrics and governance practices. As evidenced by numerous case studies, the COBIT framework is already widely adopted in government and industry sectors alike. With the ability to be tailored based on operational contexts while being structured enough to bring clarity and shared understanding, fluidity is intrinsic to COBIT. However, a mechanism of collaboration across institutional boundaries (with competing priorities and obligations) is something that COBIT does not readily provide.
Reinterpreting COBIT
Consider typical examples – a health system managing its internal IT governance or a federal agency reviewing its own IT controls. When the COBIT framework is conventionally applied in these settings, there are a few key assumptions. The framework is implemented within the boundaries of a single entity (private enterprises or government agencies) with clear authority, and controls and metrics are shaped by the entity’s unique needs. With a slight change in perspective, COBIT can be viewed as a shared governance tool as opposed to being internal and organization-specific.
In the real world and especially in critical infrastructure, finance and supply chain domains, processes are often jointly owned across public and private sectors with shared responsibilities. For instance, in a national cyber incident, the Cybersecurity & Infrastructure Security Agency (CISA) and a telecom provider like AT&T may need to co-manage the incident response process. While CISA might lead on threat intelligence and national alerts, AT&T would be responsible for securing and restoring communications infrastructure. This is where COBIT can help define shared responsibilities and decision-making authority across organizations with varying resources, risk appetite and regulatory constraints. The modular nature of components allows controls to be adapted for cross-organizational settings.
Practical considerations for success
There are six important points to be considered before implementing a COBIT-based framework for public-private governance:
Selectivity - Select and adapt only those COBIT processes that support specific, shared goals. In the context of public-private entities, this means only processes that require coordination such as incident response, risk management and compliance.
Joint Ownerships - Develop extended RACI matrices and inter-organizational charters that completely and accurately reflect the who, what, when of every joint activity. External stakeholders across organizations must be assigned clear responsibilities and decision-making authority (with defined escalation paths) to minimize ambiguity and to ensure accountability.
Legal Boundaries - Define scope, situational limitations and penalties related to threat information sharing between private and public entities through formal agreements or legal provisions to enable lawful collaboration.
Cultural Awareness - Acknowledge differences in organizational culture and agree on basic standards for communication and cooperation without expecting total alignment in values or practices.
Sustained Governance - Establish a permanent governance structure like a steering committee with defined roles, meeting frequency and decision-making authority that is integrated with each entity’s internal governance structure. This is crucial since public-private partnerships often rely on personal relationships or ad hoc task forces that are often not formalized or repeatable over time.
Policymaking – Work toward setting clear rules for what government and private companies can do, making regulations practical and not overly rigid, and emphasizing preventive controls over reactive measures.
Building on these considerations, the COBIT framework provides guiding governance and management objectives that can be connected to framework elements for the implementation of effective public-private cybersecurity collaboration as shown in figure 1:
FIGURE 1
Operationalizing the Governance Model
| Contextual Design Factors* | COBIT Objectives | Non-Operational (Governance) Outcomes |
|---|---|---|
|
Enterprise Strategy, Organizational Culture |
EDM01 – Ensure Governance Framework Setting and Maintenance |
Establishes a unified governance structure with shared roles and accountability. |
|
Role of IT, Organizational Culture |
APO01 – Manage the I&T Management Framework |
Aligns how cybersecurity is managed across organizations. |
|
Compliance Requirements, Regulatory Requirements |
MEA03 – Ensure Compliance with External Requirements |
Clarifies legal boundaries for data and threat sharing. |
|
Industry Sector, Organizational Culture |
APO08 – Manage Relationships |
Structures engagement and communication between sectors. |
|
Risk Profile, Threat Landscape |
EDM03 – Ensure Risk Optimization |
Aligns risk assessment and response across entities. |
|
Threat Landscape, Technology Adoption Strategy |
DSS05 – Manage Security Services |
Enables coordinated security operations and responses. |
|
Enterprise Goals, IT Implementation Methods |
BAI01 – Manage Programs and Projects |
Structures joint initiatives with clarity on scope and timelines. |
* This analysis focuses on operationalizing COBIT components for public-private governance, assuming design factors have already been considered in the system scope.
Looking Forward
Public and private sector organizations require advanced governance models that clearly define roles, legal boundaries and collaboration protocols in today’s evolving cybersecurity landscape. A COBIT-based approach can foster cross-sector collaboration enabling reliable, informed decision-making and improving resilience against cyberthreats.
About the author: Suraj Raghupathy Iswaran is a senior cyber and strategic risk consultant at Deloitte with more than six years of experience in cyber risk consulting and management at PwC and Deloitte. He specializes in designing and implementing cybersecurity frameworks, performing third-party risk assessments and vendor due diligence, and supporting enterprise compliance and threat monitoring for clients in the financial services, healthcare, and technology industries.
