Many organizations simply overlook establishing a governance program as a part of the ongoing information security strategy. It's easy to say that security is everyone's responsibility but without defining the governance structure no one truly understands what their role in security actually is.
There are various levels of the governance structure, starting with management and carrying all the way through to the individual business units and then to the individual resources. When you take an effective approach to govern your organization in this model it not only creates an effective security program but also an effective way of running operations as a whole.