This website uses cookies

Read our Privacy policy and Terms of use for more information.

A lot of security policies fail for a simple reason:

They’re written for perfect conditions.

But real IT environments are messy.

  • Systems break

  • Teams are understaffed

  • Business priorities change

  • Threats evolve constantly

The result?

Policies that look good in an audit… but don’t work in practice.

I learned this the hard way when I created a patching policy that required all critical patches within 30 days.

On paper it sounded great.

In reality:

  • Identifying patches took time

  • Testing patches took time

  • Scheduling maintenance windows took time

  • Deploying them took time

By the time everything was done… 30 days had already passed.

And meanwhile pentesters were finding issues that were lower severity, but arguably had more impact.

The policy wasn’t wrong.

It just didn’t match the realities of our environment.

What actually works

Instead of trying to create perfect policies:

Focus on risk-aware policies that reflect how your environment and business actually works.

As with all things in security, context matters.

For example:

  • Prioritize risk, not just severity scores

  • Allow exceptions when justified

  • Continuously adjust policies as environments change

Security policies shouldn’t be static rules carved in stone.

They should be living guardrails that help teams make better decisions.

Because the goal isn’t perfect security.

The goal is reducing real risk in the real world.

I recently wrote a blog post where I go into this in more depth.

If you’re an IT admin or IT/Security leader, this is for you.

All the best
Spencer Alessi

P.S. Perfect security policies are like perfect patch Tuesdays…Everyone talks about them, but nobody has actually seen one. 😄

Keep Reading