Policies are now the primary driver of conduct and activities in many organizations, according to a new poll conducted by the Security Executive Council. Poll results also show that the corporate security function is often not the owner of risk-related policies.
The Security Barometer poll, conducted in October, asked security leaders whether their organizations had defined polices for various risk areas and if so, whether Security was responsible for their update and enforcement.
Seventy percent of respondents identified policy, rather than guidelines, as the primary driver for conduct and activities in the organization. Physical security and incident reporting were the only two policy areas over which more than 50 percent of respondents claimed security was responsible for and enforced.
Bob Hayes, managing director and founder of the Security Executive Council, said, “Policy used to be a four-letter word to most companies. It was the enemy. Now companies are pushing for more policy and standardization, and I think they’re doing it in response to risk. There’s too much risk in not having better mandatory controls.”
The reported variety in security risk-related policy oversight may be a sign of positive change, Hayes notes. “To me what it shows is that Unified Risk Oversight™ is growing. It may be evidence of greater emergence of cross-functional teams in managing most risks. We’re expecting to see more of security working with other functions to build policies.”
Full poll results, including charts, are posted at: www.securityexecutivecouncil.com/spotlight/?sid=30941
For more on Unified Risk Oversight, visit: www.securityexecutivecouncil.com/spotlight/?sid=26462