The Security Barometer poll, conducted in October, asked security leaders whether their organizations had defined polices for various risk areas and if so, whether Security was responsible for their update and enforcement.
Seventy percent of respondents identified policy, rather than guidelines, as the primary driver for conduct and activities in the organization. Physical security and incident reporting were the only two policy areas for which more than 50% of respondents claimed security was responsible and enforced.
Bob Hayes, Managing Director and founder of the Security Executive Council, remarks, “Policy used to be a four-letter word to most companies. It was the enemy. Now companies are pushing for more policy and standardization, and I think they’re doing it in response to risk. There’s too much risk in not having better mandatory controls.”
The reported variety in security risk-related policy oversight may be a sign of positive change, Hayes notes. “To me what it shows is that Unified Risk Oversight™ is growing. It may be evidence of greater emergence of cross-functional teams in managing most risks. We’re expecting to see more of security working with other functions to build policies.”
Full poll results are posted here.
For more on Unified Risk Oversight, click here.
To view our recently developed security policy template, click here.
About The Security Executive Council
The Security Executive Council is the leading research and advisory firm focused on corporate security risk mitigation strategies and plans. We work with security leaders to transform security programs into more capable and valued centers of excellence. Watch our 3-minute video for a quick overview.