Good cybersecurity policies (management directives) should avoid incorrect interpretation nor perception.
Further down the road, if policies is not precise generic nor precise specific for just-right coverage – many “policy exceptions” will be resulted. The most incorrect approach is to ask the senior management to approve such exception.
The whole game should be the cybersecurity Subject Matter Expert (SME) assesses the area where policies cannot be complied with. The SME shall recommend pragmatic compensating controls and grant temporary approval while senior management is in the role of being informed.
We, cybersecurity practitioners, must help senior management to understand cyber risks (mostly perception), how the risks could be exploited n own specific business environment. Like the recent Log4Shell zero-day vulnerability, understand what it is rather than blindly to push applying patches, assess the likelihood of exploitability and stand firm to explain why this is not severe if there are cyber threats intelligence directly come to senior management attention.
And don’t forget the policy exception could be a wake-up call that the policies is incorrectly stipulated. Policies is a living document. The policies must undergo periodic review by stakeholders, listen to them and remove ambiguity. Otherwise, it’s dead end to nurture cybersecurity in the organization.