Security has to belong to the business folks in the organization. The technology/IT people need to support it, and the CISO might very well hail from that territory originally, but the business folks need to "own" it. That's the only way security will ever be given money before the organization shows up as a trending Twitter hashtag.
In the words of Frederick Avolio: "Security is an investment, not an expense. Investing in computer and network security measures that meet changing business requirements and risks makes it possible to satisfy changing business requirements without hurting the business's viability."
I was talking to a business friend about how data had to go through this (and one could argue it still is) process of being adopted by the business side of the organization in order to be taken seriously. Of course, that means there is a tension between the technology folks and the business folks about who controls the data, but data governance is beyond the scope of this blog entry.
Security governance, though!...
But, seriously, until the business side of the organization - those who hold the purse strings - realize that security is an investment and not merely a cost center and that promoting security helps the business meet its business goals modern businesses will not run as well as they could be. Security is not an after-thought, begrudgingly assigned leftover scraps from the head table. Just because we don't put security in the mission statement doesn't mean it doesn't matter.