Survey shows lack of sophistication in addressing security at the level of risk management. Any organization that regularly reviews processes for vulnerability assessments and threat assessments is well ahead of the pack. CERT notes that without attention to risk management and security policies, money spent on technical solutions may be misdirected. Respondents show decent involvement by senior management in setting security policies. However, few succeed in making security a regular part of staff or management meetings. The next best step is to at least address security on a policy level.”]
Source: https://www.csoonline.com/article/2118149/how-does-your-company-stack-up-.html