Security exceptions are increasing cybersecurity risk, survey finds

New survey data shows how formal and informal security exceptions are increasing business and cybersecurity risk across organizations

Takeaways:

• Every organization surveyed granted at least one security or compliance exception in the past 12 months, suggesting exception handling is now standard practice rather than an edge case.
• Most exceptions were formal, but a significant share were still handled through informal workarounds, increasing the likelihood of inconsistent oversight and hidden risk.
• Security exceptions are not just a governance issue; they can directly affect business outcomes by delaying product launches, market expansion, merger and acquisition activity, and AI deployments.
• The broader pattern points to a culture where speed and productivity often override security policy, leaving cybersecurity teams to manage the fallout.

Why security exceptions are becoming the norm

One tried and true method for determining when a process is broken is watching for when there are more exceptions than there are rules. A survey of 200 U.S. cybersecurity leaders suggests that cybersecurity mandates are riddled with so many exceptions that for all intents and purposes there are no meaningful rules.

Conducted by Opinion Matters on behalf of Replica Cyber, a provider of a hardened platform for deploying applications, the survey finds every respondent (100%) worked for an organization that granted security or compliance exceptions in the past 12 months. Nearly two-thirds (63%) described those exceptions as formal, while 36% said they were granted via an informal workaround.

Why temporary security exceptions often become permanent

There are always going to be exceptions to any rule, but by and large they should be temporary. The survey makes it clear, however, that when it comes to security policies far too many of the exceptions granted are permanent. For example, that policy created to prevent end users from using an open-source artificial intelligence (AI) tool that if compromised can access troves of sensitive data will have an exception for members of the marketing team who are relying on it to increase productivity.

There are, of course, more secure AI agents that a proactive cybersecurity team could identify, but that requires a significant amount of research effort. By the time that research is completed, the marketing department will invariably have created a series of complex workflows that they would have to completely rework if they switched to another AI agent platform. In the name of productivity, another exception will then be granted even though everyone in cybersecurity knows it will only be a matter of time before the AI agents adopted by marketing are compromised.

The same cybersecurity teams also know that the more senior the executive seeking an exception to a rule is, the more likely it will be granted. The assumption is that those executives understand the level of risk they are assuming on behalf of the organization. Unfortunately, those exceptions set a bad example that is quickly propagated throughout the organization.

Why security teams are left to manage exception-related risk

Unfairly or not, the onus for at least making everyone in an organization appreciate the level of risk being assumed whenever new tools and platforms are added to a portfolio falls mainly on security teams. That’s a lot to ask of cybersecurity professionals who are generally understaffed as it is, and it assumes other departments are going to share their IT plans with a security team before launching yet another shadow initiative. All too often, the exception to a policy is granted simply because the department in question knows that it is much easier to ask for forgiveness than permission.

How security exceptions can delay business initiatives

Despite these issues, cybersecurity teams can’t afford to give up the fight. In fact, the survey shows some signs that cybersecurity teams are being heard. Well over two-thirds of respondents (39%) said their organization has delayed or canceled market expansion, product launches, merger and acquisitions, or an AI deployment because the work couldn’t be conducted securely, with 20% noting that in some instances high-risk work was canceled entirely.

Unfortunately, the number of times when organizations made those exceptions to a business culture that continues to generally prioritize speed at all costs remains few and far between.