Security governance provides leadership direction for security — defining strategy, accountability, policy, and risk appetite. Board/executive responsibility, not just IT.
Governance sets the tone from the top. Without executive commitment, security programs fail. CISO reports to CEO or Board for independence. Governance outputs: security strategy, risk appetite statement, policy framework, security metrics for executive reporting.