Your Security Policy and Your Security Reality Are Not the Same Thing
The real cost of the gap
The gap between documented policy and operational reality is not an abstract risk. It has a direct cost. When an incident happens and the controls that were supposed to be in place turn out not to be, the consequences land on the business — not on the policy document. Ransomware that spreads because a segment that was in the network diagram was never actually configured. A data exfiltration that went undetected because the logging policy was written for a different set of systems. A regulatory fine because the data retention schedule existed on paper but nobody was actually deleting anything.
The organisations that handle this well treat their security documentation as a living thing, not a compliance artefact. They review it against actual operations on a regular cycle. They test the controls, not just the paperwork. This is the same discipline that makes POPIA compliance an ongoing practice rather than a checkbox exercise.
How to measure your security reality
Measuring the gap does not require a full penetration test every quarter. It requires a short set of practical questions that someone in the business can answer honestly. When was the last time we tested a restore from backup? When was the last time we reviewed who has admin access? When was the last time we ran the incident response plan as a tabletop exercise with the people who would actually be in the room?
If the answer to any of those is more than six months ago, the gap is wider than you think. The point is not to be perfect. It is to know where you actually stand so you can prioritise what to fix next. Boards that want to understand this dynamic should start with the three questions every board should be asking their IT team.
Building a validation cadence that sticks
The businesses that close the gap between policy and reality do not do it with a single project. They build a rhythm. Quarterly control testing. Semi-annual tabletop exercises. Annual policy reviews that actually compare the document against the current environment, not just update the date stamp. Each cycle finds a few gaps. Each gap gets fixed before the next cycle. Over time, the drift stops and the gap narrows.
This is not expensive. It is not complicated. It just requires someone to own it and a calendar to remind them. The alternative — finding the gap during an actual incident — is both expensive and complicated. The choice is straightforward.
The most common gaps I see
After working with dozens of South African businesses, certain gaps show up consistently. The first is endpoint coverage. The EDR or antivirus tool was deployed to the main office machines, but remote workers, branch offices, and contractor devices were never added. The policy says all endpoints are protected. The reality is that a significant portion of the attack surface is invisible.
The second is identity and access management. Policies say access is reviewed quarterly. In practice, the last review was eighteen months ago, and the spreadsheet of who has admin rights has not been updated since the last reorganisation. Former employees still have active accounts. Service accounts use passwords that have never been rotated. The policy document describes a well-managed access environment. The actual directory tells a different story.
The third is incident response readiness. The incident response plan exists. It names a team, defines roles, and describes a process. But the people named in the plan have changed jobs, the contact numbers are out of date, and the plan has never been tested in a simulation. When a real incident happens, the plan gets printed and then ignored because nobody has ever practised it. This is the same gap that makes POPIA breach notification so difficult in the first 72 hours — the plan exists but the muscle memory does not.
Who should own the gap
The gap between policy and reality needs an owner. Not a committee. Not a quarterly review item. A specific person whose job includes keeping the two aligned. In larger organisations this is the CISO or the head of IT security. In smaller businesses it is often the IT manager or an external vCISO. The title matters less than the accountability.
That person needs two things: a budget to fix the gaps they find, and a direct line to the board or the owner. If the person who finds the gaps cannot close them, the exercise becomes demoralising and the gap widens. If they cannot report what they found to someone who can act, the exercise becomes pointless. The businesses that close the gap are the ones where the person responsible has both authority and resources. For businesses trying to decide whether they need a dedicated security person or a broader technology leader, our comparison of vCISO versus fractional CTO can help clarify which role fits.
Need Help With Your Security or IT?
We work with South African businesses to assess, deploy, and manage security and IT that actually fits. No jargon, no scare tactics. Practical advice and real support.
Contact Us →