Your Security Policy and Your Security Reality Are Not the Same Thing

Most South African businesses I speak to have a cybersecurity posture that looks better on paper than it is in practice. This is not negligence. It is the natural result of how security programs evolve — documentation outpaces reality.

A company passes an audit. Great. The policy documents are current, the controls are mapped, the board report says amber-to-green. Then the year moves on. Staff turn over. Systems get added. A new business unit spins up and uses a cloud tool that is not in the asset register. The endpoint detection tool that was deployed eighteen months ago has never been tested against an actual incident.

Nobody updated the policy. Nobody is lying. The gap between what the documents say and what would actually happen in a breach just quietly widened while everyone was doing their jobs.

The question attackers actually ask

An attacker does not read your security policy. They probe your actual environment. They ask: what can I reach? What credentials can I find? What logging gaps exist? How long before anyone notices?

The most honest measure of your security posture is not your last audit score. It is the answer to that last question — how long before anyone notices? If the answer is days or weeks, the policy documents do not matter.

What to do about it

The answer is not more documentation. It is periodic validation — testing whether the controls that are supposed to exist actually work the way they are supposed to work. Not a full red team exercise. Just honest, systematic checking. Does the incident response plan reflect who actually works here now? Does the EDR cover the servers added in Q3? Does the SIEM alert on the things it is supposed to alert on?

Small gaps, found early, are cheap to fix. The same gap, found by an attacker, is not.

Greg Hay is a cybersecurity advisor based in Durban. His book Checked, Not Secured explores this gap in depth. Available at Reader’s Shack.