A problem in organizations is that the elected security controls do not adequately cover the technology stack: network and applications, and are not executed on by all the people with the organization.

A full view needs to be taken of how to proliferate the controls. The controls come from the corporate security policy which should be legally enforceable, the security policy is then extrapolated into an elected set of controls. Controls are then morphed into standards, standards into guidelines, guidelines into patterns.