A CISO discusses the importance of governance structures and board support for information security. They emphasize focusing on the basics like patch and vulnerability management, user access control, secure authentication, and encryption. The CISO stresses the need to measure, track and report security metrics and provide user training and awareness, as people will choose fun over security. They also note that insurance can help mitigate remaining risks.