In last year's THOTCON, Keren Elazari and Chris Wysopal touched upon bridging the gap between blue and red teams, business units, as well as other professions to create a comprehensive cyber-shield for world at large. However, the question becomes how do IT Security professionals do that? Simply involving different business units and teams to be part of email chains or in meetings is not enough. The IT Security landscape is complex, specialized, and with its own language, which most people outside of the realm will not understand. One of the keys to collaboration is in simplifying the information achieved by creating governance controls that are easily understood, but also satisfy regulatory and legal requirements. In lay speak, it answers the questions "Do you know what is happening in your sphere of control?" and "Can you show me that is the case (aka Prove it)?" Incidentally, these are the two main questions that auditors ask when performing assessments. Assessments, which based on my experience, are not happily seen by InfoSec and SecOps folks. Audit is a different beast altogether. Auditors gauge the temperature of different business areas and the results drive decisions and it is where common folks go to get their answers. By having good governance controls, InfoSec can give the best picture of the IT security landscape, provide clear and easily understood information, improve decision making, and decrease time spent doing audits, especially if teams work with audit to understand the risks needed to be addressed, what frameworks and regulations require, and what upper management wants. Good governance is easy to talk about, but practicing requires legwork upfront and continuous tinkering. In this talk, I will touch on how to understand audit and on the concept of governance as it relates to business and how to translate that when creating governance controls. Also I will speak on uses of governance in Security and how to go about designing controls.