Understand clearly that information security is first and foremost a business problem, which requires being resolved like any other business uncertainty - in terms of risk management.

Know that information security cannot be achieved through technology alone; and though security solutions have a technological component, the larger part (almost 80%) relates to managing people and process uncertainties.

Understand clearly that information security is largely a people issue and that people are the weakest link in the security chain - their awareness can make or break the organisation's investment in security technology and processes.

Understand that information security, like any other business process, is effective only when based on reliable information and a sound strategic plan. The plan has to be developed using the right standards, policies and technologies and communicated to each person in the enterprise.

Make sure that you have an ongoing monitoring process to see that the security plan and solutions evolve to meet changing business needs.

Acknowledge that security threats and breaches can seriously undermine share price and stakeholder confidence, and can result in significant financial losses.

Effectively demonstrate the value of information security in business terms to the Board and top management, and communicate a clear business case for investments in security.

Know that the key element of governance is monitoring performance, and a prerequisite to monitoring is measurement of security goals, policies, compliance, spending, and ROI.

Be fully aware of the powerful effect of information security on business strategy, and take an enterprise-wide view by collaborating with other business heads in planning and devising security budgets, plans, and strategies that can benefit the company as a whole.

Keep your security strategy in step with your business strategy and changing security environment.

Look beyond your immediate organisational boundaries to the extended enterprise, and understand its contribution to achieving effective and enabling information security.