Research has found that very few companies have a full security strategy in place and where they do, it is rarely seen as 'fit for purpose'. Recent work by Perpetuity found that only one-third of organisations had a security strategy that had been approved by the Board. Many did not have specific objectives to guide the work of the security function within the organisation and less than a third had a security strategy with measurable deliverables linked directly to organisation objectives.
Furthermore according to security providers, nearly two-thirds estimated that fewer than 15 per cent of their clients had a security strategy in place. In addition where security strategies did exist most were not deemed to be fit for purpose.
Whilst the majority of organisations seemingly do not have a security strategy, many directors recognise that they should.