The key to the problem of data leakage can be laid squarely at the door of poor information security governance. As information security governance is a sub-set of IT governance, then the starting and finishing position rests with the CIO, says John Mitchell. I am constantly amazed at CIOs who have no clear governance programme in place to ensure that their function can not only support current business objectives, but also help to extend the enterprise into the future. After all, IT departments only do two things: facilitate the development of new business solutions and deliver existing solutions to its clients.