Many years ago, a friend of mine worked as a security director at a firm and had what they called an “audit box.” It was a pre-prepared box filled with policies, network diagrams, security controls and checkboxes.
Basically, all the things an auditor would want to see during a visit. Except they weren’t always a true reflection of reality. That’s a tidy version of cybersecurity. You purchase a tool, deploy it, tick the box and the problem goes away. No more audit findings, no more breaches.
And then there’s the real world, where people have meetings to get to, devices that don’t quite cooperate, and a low tolerance for anything that feels like molasses poured over their workday.
But what happens when the perfect plan meets an imperfect world? When a real-life scenario plays out, it can force a company to question whether all the controls in their “audit box” actually have a real-life impact. For example, a company might have a policy requiring multi-factor authentication (MFA), but if employees can’t actually use it in their day-to-day work, the policy is just a checkbox. Or, a firm might have network segmentation policies, but if the legacy systems they rely on can’t be segmented without breaking critical business functions, the policy never gets fully implemented.
Take the MFA example: if you’ve ever stood in a hallway impatiently waiting for your phone to receive an SMS code, or tried to switch between three different authenticator apps while a meeting starts without you, you’ll understand why rollouts sometimes get put on hold.
It’s not that people hate security. People hate friction. They hate feeling foolish in front of a client because the app won’t load. They hate missing a train because a VPN decided to re-enroll them at the ticket barrier. In those moments, policies lose to impatience. And when enough small moments accumulate, the best-intended control ends up half-deployed, half-used, or quietly bypassed.
But this isn’t a question restricted just to MFA. We need to look at every control and how much friction it adds to people’s lives.
The lesson isn’t “force it harder,” it’s “make it easier”. Reduce the number of times you ask someone to prove who they are by using single sign-on and only step it up when the risk changes. Design for situations which may arise as part of daily life such as lost phones, no signal, shared devices, frontline roles, and contractors who live between systems. Give people more than one secure way to succeed and a recovery path that doesn’t require a pilgrimage to the helpdesk.
Culture matters just as much as the right tools and processes. If leaders treat security controls as optional, everyone learns the real policy. When rollouts are sprung on employees without explanation, people treat them like taxes. However, when executives use the same smooth setup as everyone else and clearly explain why they matter, resistance softens.
At the end of the day, security that only works in theory isn’t security at all, it’s theatre. The “audit box” might get you through an inspection, but it won’t stop an attacker or save you in a crisis. Real resilience comes from controls that fit into how people actually work, not how we wish they worked.
That means being brutally honest about what’s deployed versus what’s deployed and used, as even the most elegant policy collapses under the weight of a clumsy experience. It means measuring friction as carefully as you measure risk, and treating usability as a security feature, not a nice-to-have.
The future of effective security isn’t in thicker rulebooks or shinier dashboards, it’s in designing controls that people barely notice until they need them. If the security measure vanishes into the background of daily life yet stands ready when it counts, you’ve left the “audit box” behind and stepped into real-world security.
Because in the end, the control that’s easy and reliable will always beat the one that’s perfect on paper but impossible in practice.
