At its heart, governance should be about security practices and focus on risk mitigation as a security concept rather than as a compliance driver. Compliance will be a by-product of good security practices that can be guided by security governance frameworks.