Governance is simply describing what should be done to do things right :
Often, Governance is seen as a bureaucratic useless set of Tasks. Governance should be seen as the way of working of the company to ensure long term survival.
Diploma's, certifications, ... are always elements to take into consideration. However, the key to a working & efficient governance is the good understanding of the purpose & the objectives by the people. Simple (Lean !) processes clearly help to avoid people feeling bored. Sound corner stones such as "competence + experience + common sense" are mandartory to avoid people feeling useless or fighting against a Windmill.
A common term used in Security is Policy or Rule instead of "what should be done" ... and "yes" Goverance will define rules to follow. However, defining rules, policies, regulations, procedures, ... does not garanty those will be executed. We can help you ensuring that the process (you) defined are consitent & in-line with the expected Security posture of the Company. We can also help to ensure that those policies / processes / ... do not contain "non-sense", impractical scenarios, ...
Better to do things than not doing those. Having agreed upon, written down processes, policies, regulations, ... describing what is the purpose, what actions are expected within your Organization. A copy-paste from the "BEST-IN-CLASS" might not be what you company requires. You need to have expectations that are according to your Organization maturity level & expectation. An SMI should not try to imitate a Bank or an International organization or a Ministery.
NIST CyberSecurity Framework, ISO-27.xxx, CMMC 2.0 ... they all cover numerous different aspects, needs, legal environments, ...
We practice Risk management from Vulnerability assessment to Second line or Audit support. We are using those frameworks on a daily basis. You may want to choose a lightweight solution or you need to be able to justify the complete deployment of a solution accorss the organisation.
We can help you with the setting up of a the whole project :