Surprisingly, security programs and services often go into automatic mode after being set up by organizations. Things are working well enough, so little thought is given to them. You might be concerned about the programs, but either the organization is not interested, or you are too busy with urgent issues to work on improving them.
In this Security Barometer we wanted to see how prevalent this is and what you feel are the hurdles that get in the way of improving the core programs that need updating or expansion.
We chose six core security programs to investigate which are causing anxiety for security practitioners.
In the next step we wanted to find out, given that the security programs performance may be lagging, what the actual concerns were.
The majority of responses in the "other" category were from respondents who felt that none of their programs were lagging or deficient.
Most of the listed concerns, in one way or another, relate to the ability to demonstrate the value that Security brings to the organization. The lack of support within the organization, whether that is because of Senior Management not devoting attention, other business units not sharing responsibility, or lack of resources necessary, all point to a deficient value proposition.
Certainly, there will be some organizations, for example startups who are focused exclusively on growth, or businesses that are in a deteriorating financial state, that simply will not attend to security issues regarding of the hazard. However, all operational functions within an efficient stable organization will have a strong business case to support them.
The Security Executive Council is the industry leader at providing guidance and acting as a sounding board for reviewing, enhancing or rebuilding your security programs and services. Download more information about the SEC's Program and Services Review capabilities.