Current State of Security Policies
by Mike Gentile, Ron Collette, and the CISOHandbook.com Team
Within our security program development methodology, security policies serve as the benchmark that instructs the rest of the organization on what they should be doing from a security perspective. Within this article, we will use metrics we have collected from our security program review tool (still available on the site) to present how most organizations are using security policies.
This article will discuss 5 key metrics that were extracted from our security program review tool. These metrics represent the aggregated results from over 160 security programs around the world. What we found fascinating about these results is that they really pointed to the fact that we still have some ground to cover in regards to the maturity of our security policies. The five metrics that are discussed in this article include
- What is the state of your existing security policies?
- Do you feel your security policies Address all applicable regulations for your organization?
- Do you feel that your security policies are comprehensive for the entire organization?
- Does your environment meet or exceed the majority of standards and guidelines outlined in your security policies?
- How often are your security policies reviewed and updated?
Underneath each metric, we will point out a couple of observations that our team has drawn from the data.
*Only 41% of the survey respondents have documented and ratified security policies. That means that less than half of the organizations that protect our personal data or manage our personal safety have policies.
*13% of respondents still do not have any security policies at all
*In most of the organizations that we perform services, security regulations are a major catalyst for getting security done. We have also noticed though that there is a disconnect between regulatory compliance and regulatory representation in security policies. This data would support that notion.
*The increasing compartmentalization of organizations is represented in this statistic. Only 13% of respondents claim that there security policies are completely comprehensive for the whole organization
*No surprise here, but this should scare us all. Even when organizations have policies, standards, and guidelines, only 17% of the respondents claim that their organization is fully complying with them
*This final statistic is nice to see (kind of). This is one area where we have seen significant improvement in the area of security policies. Most organizations are getting better at keeping their policy set current. Of course, still only 50% are updating them more often than every two years. At least that is better than were this statistic has been in the past.
As always, you can provide feedback for this article here.
In addition, it would be great if you have some time and can participate in our new survey. You can take it by clicking here
. It is only with your participation on these types of surveys that we can bring you articles like the one you have just read.