Exceptions to policy stink. with very few exceptions | by Vicente Aceituno Canal | The CISO’s lair | November 2023


with very few exceptions

The Bog of Eternal Stench

To put it simply: policies are not laws. You don’t have this power.

Cybersecurity policies document a direction of travel; how we would like things to be. Anything that exists before a policy becomes enforceable may or may not be consistent with it.

This doesn’t mean we have to document exceptions. If something is not compliant, but we plan to make it compliant, for example if something is not integrated into SSO, we either work to integrate it or we give up trying. Regardless, there is no point in documenting an exception.

Whenever we discover that something cannot comply with the policy, the best thing is to update the policy. For example we can declare that shared accounts are banned. Later we find that the companies’ social media accounts are shared and we cannot create nominal accounts. Rather than writing somewhere that social media is an exception, it’s better to change the policy to say that “shared accounts should be avoided unless there is a specific business need for them.”

The only reason I don’t update a policy with impossible-to-enforce provisions is to make the mistake of thinking they are somehow equivalent to laws. They are not. Policies must reflect the reality of your organization, the opposite simply will not happen no matter how hard you try.

Leave a comment