Security policies vs helpdesk reality

It is easy to draw a perfect security architecture on a whiteboard. It is much harder to be the person answering the phone when the CEO gets locked out of their email during a board meeting.

Before I became an external security consultant, I spent my career on the inside. I served as Head of IT for a fast-moving SME, managing a 12-person service desk, owning a £200k infrastructure budget, and acting as the final escalation point when things broke.

During that time, I learned a brutal truth about IT security: if a policy cannot survive helpdesk pressure, it is not a real policy. It is just a temporary inconvenience before someone creates an exception.

Here is why most external security consulting fails the internal helpdesk test—and how we can fix it.

1. The Gap Between "Compliant" and "Workable"

When I led my team through our first Cyber Essentials Plus certification, we didn't just need to tick boxes. We had to drive endpoint compliance from a messy 72% up to a rock-solid 96% in under two months, using Microsoft Intune and Defender for Endpoint.

External auditors or consultants often hand over a list of failing devices and walk away. But the internal IT team knows the reality:

• Device #1 belongs to a field sales rep who hasn't connected to the VPN in six weeks.
• Device #2 is running a legacy macOS version because a critical Adobe plugin hasn't been updated.
• Device #3 is sitting in a drawer in HR.

If an external consultant just enforces a blanket "block non-compliant devices" Conditional Access policy, the service desk drowns in tickets on Monday morning.

The Fix: You don't enforce until you map the exceptions. You use report-only mode to find the edge cases, build targeted Intune device categories, and communicate the change before it happens. Security should be a planned rollout, not a surprise attack on your own staff.

2. The Danger of "Best Practice" Baselines

Microsoft provides excellent security baselines. Many MSPs and consultants will simply apply the "Strict" profile to your tenant and consider the job done.

The problem? "Best Practice" assumes a perfect environment. If your company relies heavily on guest access in SharePoint, or uses legacy authentication for an old warehouse scanner, applying a blanket baseline will instantly break production.

When things break, the internal IT team takes the heat. Under pressure from leadership, the quickest way to get production moving again is to create an exception. Fast forward six months, and your pristine security baseline looks like Swiss cheese, full of undocumented exclusions.

The Fix: Baseline deployment requires empathy. You review the current configuration, identify where "Best Practice" conflicts with "Business Reality," and you engineer a compromise. Sometimes that means deploying a custom policy instead of a preset, or isolating legacy systems behind specific network access rules.

3. Handover Without Handoff

The biggest failure of project-based IT work is the handover. A consultant arrives, changes a dozen settings in the Entra ID portal, sends an invoice, and disappears.

Six months later, an internal 2nd-line engineer gets a ticket because a user cannot access an Azure application. The engineer looks at the Conditional Access portal, sees a labyrinth of interlocking rules created by a consultant who is no longer there, and doesn't dare touch them for fear of breaking something else.

The Fix: A security engagement is not finished until the internal team understands how to operate it. When I rebuild a tenant's security, the output is not just a dashboard showing green ticks. The output is a clear, written runbook. It explains exactly what changed, why it changed, where the evidence lives, and how the internal team should handle future exception requests.

Security That Understands Operations

Good security consulting doesn't come from reading Microsoft documentation. It comes from having sat in the seat, managed the budget, and felt the pain of a bad rollout.

If you are tired of security advice that ignores operational reality, let's talk. We can untangle your Microsoft 365 tenant, get you ready for Cyber Essentials Plus, and hand the keys back in a shape your team can actually run.