According to the Carnegie Mellon University (CMU) Software engineering Institute (SEI), there are 11 characteristics for effective security governance:

• Enterprise-wide issue: Security is managed as an enterprise issue, horizontally, vertically, and cross-functionally throughout the organization in every level.
• Leaders are accountable: Executive leaders understand their accountability and responsibility with respect to security for the organization, for their stakeholders, for the communities they serve, and for the protection of critical national infrastructures as well as economic and national security interests
• Viewed as business requirement: Security is viewed as a business requirement that directly aligns with strategic goals, enterprise objectives, risk management plans, compliance requirements, and top-level policies.
• Risk-based: Determining how much security is enough is based upon the risk exposure an organization is willing to tolerate, including compliance and liability risks, operational disruptions, reputational harm, and financial loss.
• Roles, Responsibilities, and Segregation of Duties Defined: Security roles and responsibilities for business leaders are denoted by separate lines of reporting and a clear delineation of responsibilities that consider segregation of duties, accountability, and risk management.
• Addressed and Enforced in Policy: Security requirements are implemented through well-articulated policies and procedures which are supported by people, procedural, and technical solutions including controls, training, monitoring, and enforcement.
• Adequate Resources Committed: Key personnel, including IT and security staff, have adequate resources, authority, and time to build and maintain core competencies in enterprise security
• Staff Aware and Trained: All personnel who have access to digital assets understand their daily responsibilities to protect and preserve the organization’s security posture
• A Development Life Cycle Requirement: Security requirements are addressed throughout all system/software development life cycle phases including acquisition, initiation, requirements engineering, system architecture and design, development, testing, operations, maintenance, and retirement.
• Planned, Managed, Measurable, and Measured: Security is considered an integral part of normal strategic, capital, and operational planning cycles.
• Reviewed and Audited: The board risk and audit committees conduct regular reviews and audits of the Enterprise Security Program (ESP).

From these criteria we can conclude:

• How can you ensure non-IT people will not click into a spear-phishing URL or plug in an unknown USB just to check its content? Information security training and awareness are a MUST for every employee.
• Budgets are smaller everytime and risks are bigger and broader. Information security solutions are composed of people, process, governance and technology, not just technology. You need to find innovate ways to keep a cost-effective relation when implementing the controls needed in your risk treatment plan.
• Risk maps need to be kept updated. If you use information security risk maps appliable to your industry and won't build your own maps, you will eventually miss a critical risk and it will cost you big time and resources to control it.
• Information Security must be a requirement for every project in the organization, not just the IT ones. This is vital for digital transformation efforts.
• Information Security is management system that has many actors inside an organization. There is a main team that leads all the efforts and need to have the adequate amount of resources to make sure the treatment plan is up to date.
• Information security reports to management need to be done in business writing. If the information security efforts can reflect how they are improving business performance, they are going to the right direction.

References:

[1] https://resources.sei.cmu.edu/asset_files/TechnicalNote/2007_004_001_14837.pdf

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org