Security grows down into an organization once a written policy dictates it is required. Administratively, this means that management creates and sustains the demand for things to be done according to certain standards and levels. This requires that risks be categorized and prioritized, and the value of the asset to be protected is weighed against the cost of its protection.
Security policies require procedures. Security procedures include holding regular security audits, and implementing rules such as separation of duties and use of two-man controls. To insure people know how execute security procedures requires security training. To make sure people actually follow policies and procedures requires oversight and enforcement. For there to be enforcement, management must be involved. Management, after all, sets the policies.