Corporate Security Not Always Responsible for Security Risk-Related Policies, Poll Shows
December 11, 2017 - Policies are now the primary driver of conduct and activities in many organizations, according to a new poll conducted by The Security Executive Council. Poll results also show that the corporate security function is often not the owner of risk-related policies.
The Security Barometer poll, conducted in October, asked security leaders whether their organizations had defined polices for various risk areas and if so, whether Security was responsible for their update and enforcement.
Seventy percent of respondents identified policy, rather than guidelines, as the primary driver for conduct and activities in the organization. Physical security and incident reporting were the only two policy areas for which more than 50% of respondents claimed security was responsible and enforced.
Bob Hayes, Managing Director and founder of the Security Executive Council, remarks, “Policy used to be a four-letter word to most companies. It was the enemy. Now companies are pushing for more policy and standardization, and I think they’re doing it in response to risk. There’s too much risk in not having better mandatory controls.”
The reported variety in security risk-related policy oversight may be a sign of positive change, Hayes notes. “To me what it shows is that Unified Risk Oversight™ is growing. It may be evidence of greater emergence of cross-functional teams in managing most risks. We’re expecting to see more of security working with other functions to build policies.”
Full poll results are posted here.
For more on Unified Risk Oversight, click here.
To view our recently developed security policy template, click here.
About The Security Executive Council