As information security has become more widely understood, the majority of organizations have built a set of supporting policies. Unfortunately, many of these are slowly drifting toward irrelevance because they have remained largely static since their creation. Policies should protect an organization, driving business benefit and regulatory compliance. But many organizations struggle to say that these policies are consistently enforced, or even widely understood, and this is of growing concern given the increasing shift toward an extended-enterprise model. Chief information security officers (CISOs) need to find the balance of an effective policy framework that can evolve with the changing legal, regulatory, and corporate governance requirements while not becoming a significant burden on the information security team.