Policies Don't Stop Incidents. Capability Does!

Most organisations have policies. Few have the muscle to act on them.

Your acceptable use policy exists. Your data handling policy is documented. Your incident response plan is approved and filed. Yet insider incidents still occur in organisations that have all of them. The reason is straightforward: Policies create expectations. They do not create detection, escalation, or the judgement to act when something feels wrong but is not yet undeniable.

This is not a policy problem. It is a capability problem. Organisations often confuse the existence of a policy with the capability to enforce it. They are not the same thing. A policy tells people what the organisation expects. Capability tells the organisation what it can actually do when it matters. The gap between those two is where insider risk lives, and most organisations do not know how wide it is.

Consider three scenarios.

1.     An organisation with a strong acceptable use policy but no mechanism for managers to raise early concerns has a document, not a defence.

2.    An organisation with a data handling policy but no access hygiene has compliance language and open pathways.

3.    An organisation with an incident response policy but no cross-functional triage has a plan that will not hold under pressure.

In each case, the policy is real. The capability is not.

Real capability looks different. It shows up when a manager notices a shift in behaviour and feels psychologically safe enough to raise it without fear of legal blowback or awkwardness. It shows up when concerns cross silos quickly enough to matter, not weeks later in a formal meeting. It shows up when you can intervene before something quiet becomes something loud, before damage is done.

This requires three things that policies cannot provide.

1.     People who know what to do and feel empowered to act. Not everyone needs to be a security expert, but managers need to recognise early signs and know where to escalate without bureaucracy.

2.    Structures that connect the right functions. HR is aware of performance issues and departures. IT knows about access patterns and data movement. Security knows about tools and controls. Risk knows about appetite and tolerance. If those four functions do not talk to each other in real time, you have the capability in pieces and no capability where it counts.

3.    Leadership that acts when something feels wrong, not when proof is undeniable. By the time you have proof, damage is often done.

The cost of mistaking policy for capability is high. Leaders feel confident. Boards feel assured. Budgets are allocated to compliance frameworks and awareness training. Then an incident occurs, and the organisation discovers that what it thought it could do, it cannot.

The gap reveals itself too late.

The question is not whether your organisation has policies. The question is whether your organisation can act on them when it matters. Can you detect when a trusted person's behaviour shifts? Can you escalate without fear of retaliation claims? Can you move fast enough to stop it? If you hesitate on any of those, you do not have the capability. You have paperwork.

This is not about surveillance or control. It is about building the systems, the connections, and the judgment to catch what is quiet before it becomes loud. It is about visibility, not paranoia.

Access that is short-lived and auditable. Conversations about risk that flow naturally through the organisation because people feel safe raising them. Response that is swift and proportionate, not theatrical or punitive.

Most incidents start quietly. Most organisations miss the quiet signals because they conflate having a policy with being ready. Capability is readiness. Policies are intentions. Know the difference, or the difference will find you.