Table of Contents
Happy May the Fourth to all who celebrate it. You may have guessed that I am one of those people. With the holiday upon us, I was more intentional than usual in exploring the connections and lessons Star Wars offers when it comes to business security. That’s when it hit me like a bolt of Force lightning: Governance, specifically policies.
Policies are our first step in establishing our security programs. They should be based on our risk appetite and risk acceptance and provide clear guidance within our organization. One way policies often undo the good they’re intended to serve is when we make them too restrictive or too specific in what they prohibit. We view policies as a means of avoiding adverse impacts through behavior and practice; however, in reality, policies should clearly state what we want in a positive manner.
What a Bad Policy Looks Like
Restrictive policies without a proper explanation for their rationale can create a scenario where people in our organizations either ignore them or find ways to work around them. At the end of the day, everyone at our company wants to execute their mission, complete their tasks, and feel confident that they are meeting their expectations.
We all want to do what’s best for ourselves, what makes us happy, and policies that are too restrictive and cut against that intent have a way of creating risks that they are intended to diminish. A bad policy can have an unforeseen negative impact. A bad policy created Darth Vader.
The story of Darth Vader is nothing more than a study in GRC (governance, risk, and compliance) and the negative outcomes that can occur when these principles become dogmatic and impractical. Our policies are meant to establish and improve our security posture. Yet, a poor policy can create a new vulnerability that we haven’t accounted for and aren’t tracking, which can then be exploited, and we won’t be aware until it’s too late.
It can lead to an internal threat, often referred to as an insider threat, where the threat originates from within an organization rather than an external source. There may be some external help in exploiting the vulnerability, but we’ve set the course in motion internally. The Jedi policy of no personal attachments, meaning no personal relationships, set the course that would eventually lead to their entire downfall.
The Jedi’s Fatal Policy
Understanding the “No Attachments” Rule
Quick background for those that may not be aware, the Jedi policy of “no attachments” was most closely related to personal, dating relationships. The Jedi were akin to warrior monks; their dedication was to the Force and their fellow Jedi, and “for good.” The thought was that personal attachments created an emotional connection that would conflict with these priorities.
To ensure that a Jedi’s focus and efforts met the overall mission of the group, they forbade Jedi from having such attachments. This policy was in full effect when Anakin Skywalker began his training as a Jedi. The conflict starts when the policy and the environment within which it’s enacted don’t properly align.
Warrior monk groups tend to be isolated from the general population. That’s one of the ways they feel it’s best possible to ensure that their focus and mind are dedicated solely to the tenets and fulfillment of their vows and the order. The Jedi operated among people, often engaging in areas of heightened intensity, which can lead to the formation of strong emotional bonds.
It’s these bonds that often give rise to lasting relationships. Such is the case with Anakin and Padmé Amidala. Thrown together and set to meet under circumstances of youthful impressionism and high-stakes action, their course was set in motion simply because of the connections within their circles.
So, if it was all so innocent, how did it go so wrong?
When Policy Fails to Adapt
Anakin and Padmé were aware of the policy of no attachments, and at first, they did their best to avoid their feelings and adhere to that policy. However, the emotional connection was too strong, and eventually, with Anakin as the driving force, they decided that the policy was outdated and made no sense, opting to pursue their romance in private.
That’s where it starts.
A policy that doesn’t seem to be thought out or still relevant to those it’s intended to govern, with a leadership that is stuck in dogmatic views, not recognizing the potential shift and changes in the times, and finding a way to adapt. It creates a situation where a stated policy is not being followed, rendering it and its intentions moot.
This creates a new vulnerability. Anakin and Padmé eventually marry (spoiler alert), and Anakin begins to have visions of Padme’s death in an uncertain, but not-too-distant future. Naturally, this creates conflict and an emotional response for him. He’s troubled by the visions, knows that it’s a strong likelihood, even though ever-changing, the future is.
He becomes conflicted.
The complication is that he knows he’s in violation of the policy. The punishment for violating this policy is banishment from the order. An order whose mission he believes in. He doesn’t feel that the punishment fits the crime, but he won’t risk it, so he doesn’t go to his fellow Jedi for help. Sure, he asks vague questions about the visions and the future and how to stop it from happening, but he doesn’t get into specifics.
What potentially makes matters worse is that it appears at least a couple of the Jedi sense that he has violated the policy, notably Obi-Wan. Still, they remain silent, not wanting to create conflict or add to the complication.
This compounds Anakin’s vulnerability.
How the Threat Grew from Within
Missed Signals and Compounding Risks
His emotional connection to his wife and his vision of what appears to be her pending death in childbirth creates a strong desire in him to find a way to prevent that from happening, potentially no matter the cost. It is a glaring vulnerability, ripe for exploitation. And Supreme Chancellor Palpatine, aka Darth Sidious, future Emperor Palpatine (again, spoiler alert), is the person to do just that.
Palpatine senses Anakin’s fears, senses his vulnerability, and begins to exploit that. He begins to use that fear to turn Anakin against the Jedi, claiming their teachings are outdated and that they refuse to utilize their abilities to the fullest extent, such as saving the lives of those they love. The only way to learn this power and gain the ability to save his wife is for Anakin to turn against the Jedi and join the Sith.
Exploitation and the Turn to the Dark Side
Conflicted though Anakin may be, he makes this choice because of how important Padmé is to him, above all else, including the Jedi order. An outdated policy led to a vulnerability that could be exploited, culminating in a full-blown incident that required a response.
Anakin gives himself fully to Darth Sidious, to follow his teaching and commands, all for the chance to achieve the power to save Padmé from what he views as certain death. The policy and punishments are irrelevant. They are an obstacle he must overcome to save her. His loyalty and belief in the Jedi order are irrelevant; they refuse to change over time and even consider ways in which they could help him.
No matter how atrocious Sidious’s commands may be, Anakin will opt to follow them just for the chance that they will lead to his ability to save his wife. He can justify his actions because they are leading to an end that means more to him than anything else. It isn’t long before he completes his turn and becomes the individual we know now as Darth Vader.
It’s Vader’s turn and actions that accelerate the events leading to the almost complete eradication of the Jedi. Their greatest threat came internally, born of a policy that was likely outdated, not adequately enforced, nor explained, and paid lip service to, but not established in an environment where it could be easily followed by those it was imposed upon.
A policy that was idealistic but failed to set a proper tone created an internal threat that no one was aware of until it was too late. The die had been cast and events were set in motion that couldn’t be stopped.
Real-World Takeaways for Cybersecurity and Governance
Our policies are central to how we view our business and how we want to project it, specifically internally, which reflects our priorities and values. There are many instances where an organization creates a policy “just to have one,” because it’s an open item that’s likely to come up during an audit. They go online, find a nice template, download it, and implement it. Or we hold fast to policies that have been in place for a long time.
We fail to review them for current relevancy or the changing landscape. We hold fast to ideals because they sound good. Unaware of the threat environment they create for us. We turn a blind eye to potential consequences, just holding on to “because it’s policy.”
Outdated Policies Are a Risk
Policies need to be relevant. The environment in which they exist must enable them, not create friction that will inevitably lead to their circumvention. They should be high-level, mission-focused, and not prohibitive whenever possible. They should guide our company and its people towards shared success, not cause a conflict of purpose or fulfillment.
When policies fail to keep up with how people work, they can create more confusion than clarity. Employees may start cutting corners, working around security controls, or simply ignoring outdated rules altogether. This behavior doesn’t stem from malicious intent, but rather from a desire to complete the task efficiently. That’s precisely why continuous policy review, coupled with real-world input from employees, is critical. Waiting for an audit to expose gaps is too late. The risk environment moves fast, and your policies need to keep pace with it.
Make Policies Mission-Aligned and Human-Centered
Policies are a purposeful and important tool. But they need intention and focus behind them. Otherwise, the very policy we’ve enacted for “good reason” may lead to our eventual downfall.
Mission-aligned policies should do more than exist on paper.
They should be communicated clearly, supported by leadership, and reinforced through training and culture. When people understand why a rule exists and how it protects both them and the organization, they’re more likely to follow it. Encourage feedback loops that allow teams to raise concerns or propose changes. That’s how you build a resilient policy framework, one that reflects shared goals rather than outdated ideals.
Conclusion: Don’t Create Your Own Darth Vader
Don’t let your policies lead to the creation of your own Darth Vader. The internal threat that leads to the demise of your own organization.
May the Force be with you.