Security exceptions are increasing cybersecurity risk, survey finds
Security exceptions are increasing cybersecurity risk, survey finds
https://blog.barracuda.com/2026/05/20/security-exceptions-cybersecurity-risk
Publish Date: 2026-05-20 16:26:00
Source Domain: blog.barracuda.com
New survey data shows how formal and informal security exceptions are increasing business and cybersecurity risk across organizations
Takeaways:
- Every organization surveyed granted at least one security or compliance exception in the past 12 months, suggesting exception handling is now standard practice rather than an edge case.
- Most exceptions were formal, but a significant share were still handled through informal workarounds, increasing the likelihood of inconsistent oversight and hidden risk.
- Security exceptions are not just a governance issue; they can directly affect business outcomes by delaying product launches, market expansion, merger and acquisition activity, and AI deployments.
- The broader pattern points to a culture where speed and productivity often override security policy, leaving cybersecurity teams to manage the fallout.
Why security exceptions are becoming the norm
One tried and true method for determining when a process is broken is watching for when there are more exceptions than there are rules. A survey of 200 U.S. cybersecurity leaders suggests that cybersecurity mandates are riddled with so many exceptions that for all intents and purposes there are no meaningful rules.
Conducted by Opinion Matters on behalf of Replica Cyber, a provider of a hardened platform for deploying applications, the survey finds every respondent (100%) worked for an organization that granted security or compliance exceptions in the past 12 months. Nearly two-thirds (63%) described those exceptions as formal, while 36% said they were granted via an informal workaround.
Why temporary security exceptions often become permanent
There are always going to be exceptions to any rule, but by and large they should be temporary. The survey makes it clear, however, that when it comes to security policies far too many of the exceptions granted are permanent. For example, that policy created to prevent end users from using an open-source artificial intelligence (AI)…
