Most organisations measure the wrong thing when it comes to cybersecurity policies. They track existence: "do we have a policy?", and stop there. What they rarely measure is effectiveness: "does the policy actually change how people behave?"

That distinction matters more than most security teams realise. Policies are the centrepiece of a cybersecurity strategy. They set the baseline expectations for the controls that manage cyber risk. But a policy that sits in a SharePoint folder, unread and unenforced, isn't a control - it's a document.

The old management maxim says you cannot manage what you cannot measure. In cybersecurity, the problem isn't measurement itself, it's that we're measuring the wrong things. Counting policies is easy. Measuring whether they work is harder, and that's exactly why most programmes don't do it.

When cybersecurity programmes fail, weak or missing policies are usually a root cause. But the deeper issue is almost always the same: policies built to demonstrate compliance rather than drive behaviour. Here are five reasons why policies fail and what to do about each.

1. Misalignment with the business

The most common reason cybersecurity initiatives fail is a disconnect between security policies and actual business needs. This usually happens when policies are rushed into place to pass an audit or satisfy a regulator. In practice, those policies go unenforced and therefore exist only on paper for compliance, which is not the same thing as security.

To fix this, translate cyber risks into clear business terms. Once executives understand what's at stake, sponsorship for policies and security initiatives becomes far more effective and sustainable. A policy your leadership actively backs is one that actually gets followed.

2. Inconsistent structure

Policies that lack a consistent structure are harder to read, compare, and maintain. When each policy looks and feels different, it creates confusion for the teams enforcing them and the employees expected to follow them.

Fortunately, this is one of the easier problems to solve. A standard policy template and a writing guideline go a long way. The template defines the structure; the writing guideline covers language, tone, and vocabulary. Before building these from scratch, check with other departments (e.g., HR) to see if policy templates already exist. Consistency across the whole organisation is more valuable than consistency within cybersecurity alone.

3. Wrong level of specificity

Policies are high-level instruments. They should address the what, not the how. A common mistake is writing policies that are too long or too prescriptive, burying implementation detail that belongs in standards or procedures instead.

If your policy reads like a technical manual, it has overstepped its purpose. Keep policies concise and push the specifics downstream into supporting standards and procedures. The longer and more complex a policy is, the less likely anyone is to read it let alone follow it.

4. Written for the wrong audience

Cybersecurity professionals are fluent in technical jargon. Most employees are not. Policies written in dense, technical language create an immediate barrier and in a world full of competing demands on people's attention, a policy no one reads is a policy no one follows.

Write for your audience, not your peers. Plain language isn't dumbing things down; it's making compliance possible. If the person least familiar with security in your organisation can read your policy and understand what's expected of them, you've done it right.

5. Poor dissemination

A policy can't be effective if the people who need to follow it don't know it exists. Studies suggest that as many as 39% of employees are unaware of their organisation's cybersecurity policies. Given that people are the first line of defence, this gap is a serious problem.

Effective dissemenation requires embedding policy awareness into the processes where it counts most. For example, presenting relevant policies in HR onboarding and offboarding, and access provisioning workflows. Additionnaly, policies must be acknowledged annually or whenever major revision are made. This moves policy awareness from one-time events to a recurring part of how your organisation operates which increases effectiveness.

The real audit question

There's a simple test worth running on your own programme. Pull up your cybersecurity policies and ask, "how do we know they're working?" If the honest answer is "we don't," that's where to start.

Effective policies leave a trail. Employees can recall them. Behaviours align with them. Incidents they were designed to prevent become less frequent. The organisations that get this right don't just write better policies — they treat policy effectiveness like any other security metric: something to be tracked, tested, and improved over time. That shift, from counting documents to measuring behaviour, is what separates a cybersecurity programme that performs from one that merely exists.