Before you show up with pitchforks, shaking your fists at me and demanding I take this blog post down, hear me out. I’ve been fortunate enough to work in the IT security industry since the mid-1990s, and things have changed—a lot. One shining example of when CISOs don’t quite get things right is in the case of Joe Sullivan, the former Chief Security Officer for Uber. This case was so significant that it set a new precedent for the accountability of security leaders, introducing a CISO persona: “The Sacrificial CISO.”
In 2016, Uber experienced a data breach in which hackers accessed sensitive information of about 57 million users and 600,000 drivers’ license numbers. Instead of disclosing the breach as required, Uber paid the attackers $100,000 in what they labeled a “bug bounty” and had them sign non-disclosure agreements to keep the breach quiet. Sullivan was later found guilty of obstructing an FTC investigation and failing to report a crime. There are legitimate avenues for offering bug bounties through HackerOne, by the way!
This prompted me to reflect on the broader issues that CISOs often overlook or fail to consider. So, here’s a quick rundown (and by the way, I saved the best for last):
Ten Things ‘Some’ CISOs Get Wrong, and Could Do Better
1. Password Policies: Prioritizing Complexity Over Practicality
The Issue: Many security leaders enforce strict password requirements based on outdated guidance, which once demanded a minimum of 16 or more characters, special symbols, and frequent changes, without offering a corporate password management solution. This creates an unnecessary burden on users, often leading to risky behavior such as storing passwords on personal devices or writing them down. I’ve even seen people store their passwords in the Apple Notes app or in a spreadsheet because of this exact reason!
The Solution: Follow the updated NIST guidelines that recommend allowing longer passphrases and discouraging unnecessary complexity. This isn’t just blindly following the guidance but using critical thinking.
NIST moved away from recommending frequent password changes and complex composition rules (like requiring uppercase, lowercase, numbers, special characters, and disallowing old passwords). The guidelines now emphasize using longer, memorable passphrases over highly complex but short passwords. NIST SP 800-63B specifically discourages periodic password changes unless there’s evidence of compromise. It also suggests allowing copy-pasting passwords to encourage the use of password managers, acknowledging the impracticality of memorizing highly complex passwords. It really frustrates me when applications take active measures to block pasting of passwords. Luckily, KeepassXC and other password managers have an auto-type feature!
Also, provide employees with a secure password manager, such as BitWarden, to promote good password hygiene and ease the cognitive load on employees. Taking this a step further, consider providing each employee with a Bitwarden Family account for life. Why? Think about it: if employees start adopting best practices such as using unique passwords for each site and service in their personal lives, this will spill over into better security awareness in the corporate environment too.
MFA (Multi-Factor Authentication) is also extremely important. It’s the combination of these things that makes for a stronger, multi-layered defense.
2. Allowing Predictability
The Issue: Standard email address formats, like first.last@company.com, are easy for threat actors to guess, leading to higher risks of phishing attacks and credential-stuffing attempts.
The Solution: Consider implementing randomized email formats or aliases for employees, such as sam.04234@company.com. While this might seem unconventional, automation and autocomplete features reduce user friction while significantly complicating attackers’ ability to guess valid addresses. When was the last time you had to manually type someone’s email? Taking this a step further, I am a huge fan of using alias email addresses. These should be used for all supply chain accounts and procurement. The next time an invoice demanding payment is sent to someone’s business email instead of the alias for that particular supplier, red flags can be raised.
However, it’s important to recognize that this isn’t security by obscurity. Many business-focused data brokers, such as ZoomInfo, automate the population of their data using these predictable formats. Sure, the email address may end up being made public at some point anyway, but that’s not what we’re addressing. What we address is the stab-in-the-dark phishing attempts to first.last@company.com. Will it eliminate phishing entirely? No. Good reconnaissance by the threat actor will find out the real email address with no problem, but it will significantly reduce phishing and spam!
3. Over-Reliance on Perimeter Security
The Issue: Traditional perimeter defenses, like firewalls and VPNs, are insufficient in today’s world of cloud adoption, remote work, and mobile devices. Despite this, some CISOs still operate under the assumption that protecting the network perimeter is the primary line of defense.
The Solution: Embrace a Zero-Trust security model that assumes no implicit trust within or outside the network. Implement strong identity management, continuous monitoring, and adaptive policies to secure data and resources regardless of the user’s location.
While traditional perimeter defenses (like firewalls and VPNs) are still important, they are becoming increasingly inadequate. A great example is the Akira ransomware group, which is known by threat intelligence to use vulnerabilities in virtual private networks (VPNs) extensively. The concept of a ‘perimeter’ has blurred, making it crucial to shift towards Zero-Trust, where internal networks are not inherently trusted and constant verification is required.
4. Overlooking the Risks of Remote Access
The Issue: Remote support tools, such as TeamViewer, can present a significant security risk if deployed broadly without strong access controls. TeamViewer has already been used to breach networks in ransomware attacks. I get it, these tools are really convenient for IT teams, especially in supporting remote or geographically dispersed workers, but it’s just not worth it. An over-reliance on these tools increases the likelihood of exploitation, especially if they are improperly configured or inadequately monitored.
The Solution: Restrict the use of remote access tools where possible; otherwise, enforce multi-factor authentication (MFA) and closely monitor all remote access sessions. Consider alternatives that provide better control and visibility while minimizing risk. If I were to recommend just one, it would have to be BeyondTrust.
5. Failing to Align Security with Business Objectives
The Issue: CISOs often make the mistake of approaching cybersecurity as a purely technical domain, making it challenging to secure necessary resources and buy-in from executives. A CISO must focus on enabling the business securely, translating technical risk into business impacts, and prioritizing investments that align with the company’s broader goals.
The Solution: Understand and articulate how security initiatives align with and support broader business goals. Communicate risks in business terms to foster executive support and ensure security investments are prioritized based on business impact.
6. Ignoring User Experience in Security Policies
The Issue: A security policy that imposes too much friction on employees will inevitably be circumvented. Examples include overly complicated authentication processes, lack of secure remote access options, or restrictive policies that inhibit productivity.
The Solution: CISOs should work toward striking a balance between security and usability to ensure compliance and avoid creating incentives for insecure workarounds. Adopt user-friendly security measures, such as single sign-on (SSO) and biometric authentication, to reduce friction while maintaining robust protection.
7. Neglecting the Importance of Insider Threats
The Issue: Many CISOs prioritize external threats and neglect internal risks, including accidental or malicious actions by employees. Insider threats are often exacerbated by a culture of mistrust, with excessive monitoring or poorly communicated policies.
The Solution: Foster a culture of transparency and accountability. Security leaders need to create an environment of transparency and accountability without making employees feel overly scrutinized. Regularly educate employees on security best practices and adopt monitoring practices that respect employee privacy while identifying anomalies.
8. Treating Compliance as the End Goal
The Issue: A compliance-first mentality can lead to complacency. CISOs who focus solely on meeting regulatory requirements often miss the bigger picture, neglecting risks that don’t fall neatly into compliance frameworks. Effective security programs go beyond checking the boxes to continuously assess and address risks that are unique to their organization.
The Solution: Go beyond compliance by conducting continuous risk assessments and focusing on the specific threats your organization faces. Prioritize real-world threats over checklist requirements. And go do some table-top exercises!
9. Overwhelming Security Teams with Too Many Tools
The Issue: It’s tempting for CISOs to respond to each new threat with a new tool or solution. However, this can result in ‘tool sprawl,’ and a headache, where the security team is left managing a hodgepodge of disconnected tools, leading to inefficiency and alert fatigue.
The Solution: It’s nearly impossible for any CISO to keep up with the vast array of products and vendors, there are literally thousands. This makes it crucial for CISOs to first identify their company’s most critical assets and then prioritize the necessary technical controls to protect them. By focusing on key risks and needs, you can narrow down the pool of vendors and concentrate on solving specific problems rather than being overwhelmed by the sheer volume of available tools. CISOs should focus on consolidating and integrating tools to streamline operations and provide comprehensive visibility. Also, recommendations from other CISOs in your network are invaluable when it comes to evaluating options, as are insights from analysts like Gartner.
10. Not Considering OPSEC: Protecting Executives Against Targeted Attacks
The Issue: I saved the best for last. Executives and leaders are often high-value targets for attackers due to their access and influence within an organization. Personal vulnerabilities can easily translate into organizational risks if not managed correctly. Many CISOs focus on protecting corporate assets while overlooking the personal security of key executives, which leaves gaps that sophisticated attackers can exploit.
The Solution: Good Operational Security (OPSEC) is critical. Executives should be provided with personal operational security (OSPEC) measures to safeguard against targeted attacks. For instance, using a VOIP number for primary communications helps mitigate the risk of SIM swap attacks that target mobile numbers. Additionally, placing homes and assets in an anonymous revocable living trust not only benefits the family by avoiding probate but also protects executive privacy, making it more difficult for attackers to find and exploit personal information like home addresses.
Also, CISOs should advocate for services like Optery, which specialize in removing personal information from data brokers, as part of a corporate initiative to safeguard all employees. By taking these steps, organizations can better protect their leaders from becoming entry points for cyberattacks, thereby strengthening the overall security posture of the organization.
Summary
While I’ve delved into some of the things that CISOs could do better, from password policies to operational security (OPSEC), it’s clear that these issues are just the tip of the iceberg. The role of a CISO is complex, requiring a balance of technical acumen, risk management, business alignment, and transformational leadership. I believe that once these issues are addressed, CISOs can effectively safeguard their organizations in a threat landscape riddled with ransomware, info-stealers, malware, and even nation-state attacks. My blog post barely scratches the surface of a field that is truly ‘a mile wide and an inch deep’, so feel free to get in touch if you are a CISO or if you want to discuss these ideas in greater depth!