Data and systems breaches happen. It’s not a question of if, but when. Examples of violations abound, just remember the episodes that affected Sony Pictures or Anthem Medical. All sectors are vulnerable to cyber-attacks. Overall, the effect is devastating legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately revenue.

As data usage increases, companies are faced with the challenge of creating the right strategies, structures, and policies to keep sensitive data and systems secure. At the same time, criminals are developing new and sophisticated tactics to access valuable data and systems.

Safety is—and should be—a concern for every employee in a company. However, leadership must be responsible for establishing and maintaining a corporate governance structure. Cyber security governance is defined as a subset of corporate governance that provides strategic direction, ensures that objectives are met, manages risk, and monitors the success or failure of the corporate security program.

Whether the board of directors, executive management or a steering committee, or all of them, cyber security governance requires strategic planning and decision-making.

Despite the threats of cyber-attacks and data breaches, companies can take proactive steps to adopt an effective governance policy. Below are five strategic good practices for cyber security governance.

Although developed by the leadership, cyber security governance involves all employees of the organization and requires ongoing awareness. Governance creates policies and assigns responsibilities, but each member is responsible for following security standards.

Ongoing training and education on good security practices is critical. The cyber threat landscape is rapidly changing and employees, in addition to company training, must keep up to date. That way, if new threats arise, the company will be prepared.

Stakeholders must feel that they can communicate transparently and directly with leadership, even if it is to share bad news. Transparent communication promotes trust and provides a greater level of visibility across the organization.

Involvement is critical. Consider creating a steering committee comprised of executive management and key team leaders (IT, marketing, finance, PR, legal, operational, etc.) to review and assess current security risks.

In general, to be successful, a cyber security governance policy involves an ongoing process of learning, reviewing and adapting. Organizations need to be proactive and strategic about security. Threats and incidents are unavoidable but making cyber security governance a strategic and priority issue in the organization can help minimize cyber risk.