A recent post by world-renowned ICS cybersecurity expert, Ralph Langner describes why governance programs fail and offers practical solutions for this very valuable and tedious risk management program. This post provides complement material to WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, specifically 9. Develop and Enforce Cybersecurity Policies and Procedures (Governance). Langner suggests current policies contain more rhetoric than impact, and are missing a few critical components to make them successful. Specifically, policies lack action and measurable results, and do little more than provide the perception of security. Langner suggests more policies should include details on who drives the efforts; who implements the efforts, how, and when; and when and how are results evaluated and reported. In other words, governance should drive execution and progress. The post also poignantly discusses the importance of dedicated full-time resources and a useful asset inventory as success factors for OT/ICS governance programs. Read the post at Langner