What is the exception economy – and why is it a growing risk?

Explore our weekly delivery of inspiration, insights, and exclusive interviews from the global BHMEA community of cybersecurity leaders.

Keep up with our weekly newsletters on LinkedIn — subscribe here. 

Expand your knowledge and build resilience with the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

Security exceptions. Because there was a time when exceptions weren’t the norm – you might approve a temporary workaround as a one-off; a conscious decision to bend the rules for a very specific purpose. 

But new research from Replica suggests that exceptions are now the norm. 

The company’s report on what it calls the ‘exception economy’ found that 100% of surveyed organisations granted security or compliance exceptions over the past 12 months. And a third aren’t even using formal exception processes anymore – they’re relying on informal workarounds just to keep high-risk work moving.

The report sums it up like this: 

“The Exception Economy is businesses trading security for speed.”

And that trade seems to be becoming standard operating procedure.

The infrastructure problem underneath the risk

The report argues that modern work has outgrown the environments organisations were built to operate in.

AI projects, threat intelligence work, M&A activity, proprietary research and sensitive partnerships are all accelerating – but many organisations still rely on unmanaged environments and legacy controls.

The numbers: 

• 45% say their most sensitive strategic work is happening in environments that are not fit for purpose.
• 45.5% use cloud infrastructure managed by separate teams for high-risk work.
• 35.5% use unmanaged or ad-hoc devices and environments.
• Only around one-third use dedicated sandboxes, VDI or zero-trust workspaces.

Work has to happen too fast 

Replica summarises the issue in one sentence:

“The work has outpaced the infrastructure.”

And that’s beginning to create measurable business consequences.

Security debt is becoming operational debt

The report found that:

• Nearly 40% delayed market expansion, product launches, M&A or AI deployment because work could not be done securely.
• 20% of high-risk initiatives are abandoned entirely.
• 58% abandon between 11% and 25% of potential high-risk activity because of exposure or compliance concerns.

Interestingly, CISOs are pulling back almost twice as often as CIOs:

• CISOs abandon 23% of risky work on average,
• compared with 13.5% for CIOs.

That suggests a growing tension between security teams and the pace of the business itself. 

When ‘temporary exceptions’ become permanent

One finding from the report stood out to us – the stats on what organisations do when approved environments don’t exist.

• 46.5% proceed on corporate systems despite reservations.
• 43.5% turn to unofficial or ad-hoc environments (effectively shadow IT).

And the people most likely to proceed anyway are CISOs themselves.

According to the research, 59% of CISOs continue work on corporate systems even when they know the environments are not appropriate, compared with just 21% of VPs of Cybersecurity.

We think that’s down to pressure, not recklessness. Today’s organisations are being asked to move faster than their governance models and security environments can support.

AI is accelerating the problem

We know – AI is accelerating lots of problems. But it really is a pressure multiplier here. Replica notes that AI: 

“...moves fast, touches sensitive data, and doesn’t wait for infrastructure to catch up.”

AI systems can force data across boundaries (between teams, clouds, vendors, even jurisdictions) too quickly for anyone to govern securely. 

And the result is an environment where exceptions become normalised. Policies are bypassed, and security becomes negotiable whenever speed is a critical concern. 

There’s short-term risk here – that’s obvious. But we see a deeper threat. Because once organisations become comfortable operating outside approved controls, exceptions stop being exceptions altogether.

We want to know what you think 

Does the normalisation of exceptions create a new challenge for cybersecurity training and awareness programmes – and how can organisations mitigate this risk? 

Open this newsletter on LinkedIn and share your opinion in the comments. 

We’ll see you back here next week.