This report illustrates on the root of vulnerability of SCADA systems, and futility of contemporary approaches at addressing those threats. The authors insists that the problem must be addressed such that SCADA security becomes effective and sustainable for the entire system lifecycle, including design, installation, operation, maintenance, and retirement. Only the implementation of effective security governance for SCADA will meet this requirement. Some approaches for security perform well at linking security investment for information assurance to the business goals of the larger corporation but are not readily translatable into actionable practice. Others excel at defining and enforcing security for implementations and procedures but are weak from the perspective of the larger picture. The strengths of the two groups can be leveraged to create effective security governance for SCADA, reaching across the organizational structure of the company and creating the foundation for sustainable security.