A better (cyber) mousetrap

What makes a solid cybersecurity/information risk management program?