24 June 2026
Cybersecurity programmes today are filled with policies, procedures, standards, awareness training and compliance activities. Organisations invest significant effort into documenting how security should operate, and auditors increasingly expect evidence that these controls are in place.
There is good reason for this. Governance is important, it provides structure, establishes expectations and helps organisations demonstrate due diligence. Without policies and procedures, security quickly becomes inconsistent and difficult to manage.
The problem arises when governance begins to overshadow technical capability.
Most organisations can easily report on how many staff completed security awareness training, when policies were last reviewed or how many risks have been recorded in a register. These activities are visible and measurable. Technical skills such as threat hunting, incident investigation, cloud security analysis and attack detection are much harder to quantify. It leaves organisations vulnerable to attacks like the Equifax breach in 2017 which was a technical failure more than anything else.
This imbalance is often driven by a phenomenon known as bike shedding, formally referred to as Parkinson’s Law of Triviality. The idea is that groups tend to spend excessive amounts of time discussing topics that everyone understands while giving less attention to complex subjects that require specialist knowledge. The classic example is a committee spending a few minutes approving a nuclear power station but hours debating the design of a bicycle shed.
Cybersecurity is particularly susceptible to bike shedding. Most people can contribute to discussions about password policies, training programmes or acceptable use statements. Far fewer feel comfortable discussing identity attack paths, cloud forensics, detection engineering or attacker behaviour. As a result, organisations can spend weeks refining policy wording while dedicating relatively little time to the technical mechanisms that actually detect and stop attackers.
Unfortunately, attackers are not impressed by documentation.
A ransomware operator does not abandon an attack because an organisation has a well-written Access Control Policy. A compromised administrator account remains dangerous regardless of how many staff completed annual awareness training. During a real incident, technical capability matters far more than the quality of the paperwork.
Consider a common scenario where an attacker gains access to a privileged cloud account. Can the organisation determine what systems were accessed, what data was viewed and whether information was exfiltrated? Can investigators identify how the attacker moved through the environment and whether any persistence mechanisms were established? Most importantly, can they answer those questions quickly enough to make a difference?
Many organisations simply don’t have the hard skills
The strongest cybersecurity programmes maintain a balance between governance, operations and technical capability. Governance defines what should happen. Operations ensure routine activities such as patching, backups and access reviews occur. Technical capability provides the skills required to detect, investigate and respond to threats when prevention fails.
Security leaders should therefore be cautious of bike shedding. If meetings consistently focus on policies, audit findings and compliance metrics while threat detection, incident response and technical resilience receive little attention, the organisation may be optimising for compliance rather than security.
Policies remain important. They create consistency and accountability. However, they should support security capability, not replace it.
When the next cyber incident occurs, the ability to investigate, understand and respond will matter far more than the number of documents sitting in a policy library.
