Across many mature organisations, the same phrases seem to keep coming back, like “Aligned with best practice”, “The control is in place”, and “We followed the framework”. They survive failure. They survive scandal. They survive the people who used them last time. The question worth asking is perhaps not whether they are accurate, but why they are so robust.
The usual explanations cover bureaucratic inertia, regulatory capture, and the well-documented limits of organisational learning. These are real, but they are not the most interesting part. The more interesting possibility is that these phrases are doing useful work. Just not the work they appear to be doing.
A statement like “the control was aligned with industry best practice” looks, at first reading, like a description of a control. Possibly not. It looks more like a multipurpose institutional artefact, in which the description of the control is, at best, the fifth thing on its list of jobs.
The other jobs
Consider what such a phrase actually accomplishes when uttered in a real meeting.
It can distribute liability. “Best practice” sources the standard somewhere outside the room. If something goes wrong, the failure is no longer a failure of judgement on the part of the people present. It is a failure of the industry consensus, which is harder to sue and impossible to fire. The phrase is a small legal jacket worn under the suit.
It can produce audit evidence. Auditors do not, as a rule, evaluate whether a control is effective. They evaluate whether a control was adopted, documented, and maintained according to a recognisable standard. A sentence anchored to “best practice” is a sentence that lands cleanly in an audit report. The phrase exists, in part, to be quoted back later by a third party in a compliant tone.
It can justify procurement. Tools and platforms purchased under the heading of “best practice” do not require the buyer to defend the specific outcome they will produce. They require the buyer to defend the alignment. This is a substantially easier conversation, and it scales beautifully across budget cycles.
It can reassure boards. Boards, almost universally, do not want to hear that the programme is being figured out as it goes along. They want to hear that it is aligned with something. The phrase produces the right shape of reassurance even when the underlying reality is undefined. This may be less a bug than a feature, cultivated over decades by people whose jobs depend on calm boards.
It can protect careers. The single most reliable use of “best practice” language is post-incident. “We followed the recognised standard at the time” is one of the few sentences capable of preserving an executive career through a public failure. The phrase is a parachute. People do not wear parachutes because they expect to fail. They wear them because they have noticed how gravity works.
Read together, the descriptive content of the phrase, the bit that purports to say something about the actual control, is doing perhaps a fifth of the total work. The other four-fifths are institutional housekeeping that has very little to do with the underlying risk.
Not just security
This pattern is not a security pathology. It is an organisational one, and it is everywhere.
Clinical governance has its own dialect: “Procedures were followed”, “The protocol was applied”, “The team acted within established guidance”. After avoidable harms in hospitals, similar phrases tend to appear in a particular order, doing what looks like the same five jobs as their security equivalents, with vocabulary tuned by clinical lawyers rather than by CISOs.
Financial regulation has another: “The model was within agreed risk parameters”, “The trade was consistent with the firm’s stated risk appetite”. Anyone who lived through 2008 can recite these from memory, and anyone who reads the post-mortems on the next financial crisis will recite them again, lightly modified. The language is not failing to learn. It is succeeding at something else.
Public-sector reviews into deaths in care, custody, or the family courts produce a specialised version: “All relevant procedures were followed”, “The case was assessed in line with the framework”, “Lessons will be learned”. That last phrase is so worn smooth by repetition that it now reads as a kind of ritual closing prayer, in which the lesson is the absolution rather than the necessary changes.
Once the pattern is visible across these very different domains, the security version stops looking like a security failure and starts looking like a feature of how organisations talk about themselves under threat of consequence. The vocabulary differs. The function is identical.
Why reform usually loses
This has an awkward implication for anyone trying to improve things from inside.
Most reform efforts, especially the well-meaning ones, target the language. Sharper words. Better metrics. More honest reporting. Outcome-based rather than capability-based assessment. These efforts almost always produce a brief flowering of clearer prose, followed by the slow re-emergence of the old vocabulary in slightly modified form. “Capability” gets replaced by “outcome”, and within two years “outcome” is being used to mean exactly what “capability” used to mean.
The reason may be that the language is not the problem. The function is. Liability still needs distributing. Audits still need surviving. Boards still need reassuring. Careers still need protecting. Meetings still need ending. As long as those needs exist, the organisation will generate vocabulary to meet them, and the vocabulary will be selected, over time, for its capacity to do those jobs without quite committing to anything testable.
Reforms that ignore this and treat the language as a moral failing tend to produce a tense and brittle period in which people simply learn to say less. Reforms that engage with the function, by giving people genuinely better ways to distribute liability, defend procurement, and protect themselves when things go wrong, sometimes work. They are also rarer, because they require admitting that the underlying needs are real and largely reasonable.
What this leaves
None of this means organisations are hopeless, or that the phrases are villainous, or that the people using them are stupid. Most of the people in the room genuinely cannot tell the difference between the descriptive job and the institutional one, because the phrases were carefully bred so that nobody would have to.
The quieter point is this. When a phrase keeps surviving its own falsification, the question worth asking is not “why don’t they learn?” The question is “what is this sentence actually for?” The answer is rarely a single thing. It is usually four or five things at once, none of which involve the topic ostensibly under discussion.
That may be how some ideas outlast their own evidence. The evidence appears to be grading them on the wrong rubric.