Cybersecurity insights from industry experts.

What are Your Exception Expectations?

Cybersecurity exceptions are a fact of life in most organizations, but there's work that should be done to make sure those exceptions are justified and worth the risk.

Nathan Martz, Manager, Google Cloud

October 20, 2023

3 Min Read
Runners in a marathon running in the opposite direction of what the rules say.
Source: Alvis Upitis via Alamy Stock Photo

There is always a new shiny object to chase in cybersecurity: zero trust, AI, passwordless authentication, quantum computing. These are just some of the latest hot topics, and organizations are feeling pressure to adopt them to stay ahead of current threats.

While these new technologies are certainly relevant, they may not be as important as getting the "cyber basics" right. Buying new cutting-edge tools or planning a whole new architecture won't replace excelling at those foundational, structural underpinnings that build a successful security program. One example of these fundamental considerations is the area of "exceptions." 

It is simply a given in any enterprise that there will be exceptions to cybersecurity policies and procedures. These range from patching exceptions to multifactor authentication (MFA) exceptions to access and firewall exceptions. How an organization processes and tracks exception requests, and evaluates risks associated with exceptions, can have a major impact on how easy or difficult it is for the organization to monitor, detect, and respond to cyberattacks.

Are Cybersecurity Exceptions Justified? 

Attackers will leverage exceptions because they provide an easier path into an organization's environment. For example, I supported a military contract and the command was rolling out application allowlisting. The aides to senior officers requested exceptions for those seniors because they were concerned that the technology might "interfere" with the senior officers' work. However, the senior officers were the exact group needing additional security protection. 

We were able to meet and explain to the aides how the tech would better protect these VIPs, and we would coordinate with their offices to quickly resolve any issues with the technology. Despite some misgivings, the VIPs ultimately were better protected and the exception requests were dropped. All it took was sitting down and discussing the users' worries and patiently explaining how to ease those worries. 

Exceptions ultimately indicate how good your security could be — if there were fewer exceptions (or none at all). Here are some things to keep in mind:

  • Ensure you have a clear and concise process for requesting and approving exceptions. (Hint: Convenience is not a good basis for granting exceptions!) That process should align with other security policies, such as the organization's acceptable use policy.

  • The process should include a risk assessment to determine the impact of the exception.

  • Track all exceptions to ensure they are not being abused.

  • If you have too many exception requests, you may need to modify your policy so that employees can get their work done securely.

  • Exceptions should expire. If necessary, they can be reviewed to see if they are still valid.

If you're falling short on cybersecurity fundamentals, such as an exception process, you're going to be facing security issues regardless of how much time and money you invest in new technologies. Automation and other solutions can help, but they don't erase every problem, including those that require new human behaviors and processes. Just like Achilles from Greek mythology, it’s easy to forget a weak spot if you’ve lived with it for a long time. And just like Achilles, such forgetfulness can have severe consequences.

Read more Partner Perspectives from Google Cloud

Read more about:

Partner Perspectives

About the Author(s)

Nathan Martz

Manager, Google Cloud

Mr. Martz is a CISSP with over twenty years of information security and Computer Network Defense (CND) experience with over five years experience as a Security Operations Center (SOC) Manager and five years experience as an Incident Response Team Leader. In his current position, he provides strategic security consulting services including Security Response Readiness Assessments, Cyber Threat Intelligence integration and Security Program Assessments. He also provide evaluations and recommendations for technical and process improvements in Security Operations Centers (SOC), Cyber Defense Centers (CDC) and Incident Response Teams as well as assisting customers in writing procedures, use cases and cyber play books.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights