Poll: corporate security not always responsible for risk policies

The organization conducted a Security Barometer poll last October, asking security leaders “whether their organizations had defined polices for various risk areas and if so, whether Security was responsible for their update and enforcement.”

Results indicated that 70 per cent of respondents identified policy, rather than guidelines, as the primary driver for organizational activities and conduct. Furthermore, physical security and incident reporting were the only two policy areas over which more than 50 per cent of respondents claimed security was responsible for and enforced.

Bob Hayes, managing director and founder of the Security Executive Council, said in a statement, “Policy used to be a four-letter word to most companies. It was the enemy. Now companies are pushing for more policy and standardization, and I think they’re doing it in response to risk. There’s too much risk in not having better mandatory controls.”

The reported variety in security risk-related policy oversight may be a sign of positive change, Hayes notes. “To me what it shows is that Unified Risk Oversight is growing. It may be evidence of greater emergence of cross-functional teams in managing most risks. We’re expecting to see more of security working with other functions to build policies.”

Full poll results are available here.