Super Cyber Fridays!
Join us TOMORROW, Friday [11-07-25], for "Hacking Remediation"

Join us Friday, November 7, 2025, for “Hacking Remediation: An hour of critical thinking about how to take alerts from found to fixed.”

It all begins at 1 PM ET/10 AM PT TOMORROW with guests Matt Brown, solutions architect, Endor Labs, and Joe Harrington, senior security engineer, Principal Financial Group. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Endor Labs

Defense in Depth
Is Least Privilege Dead?

The idea of least privilege has become accepted wisdom in cybersecurity. Despite being around for decades, everyone still seems to be struggling with it. So if we can't realize this principle, is it worth chasing in the first place?

Check out this post by Kevin Paige, CISO at ConductorOne, for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is Julie Tsai, CISO-in-Residence, Ballistic Ventures.

Listen to the full episode here.

Is least privilege dead?

The debate over whether least privilege remains a viable security principle has sparked strong reactions across the industry. Samuel Roach of Cyberoptiq makes a clear distinction: "The principle of least privilege is just that: a principle. It is ineffective without actually implementing the right controls, but is the principle that should dictate the controls one should implement." He argues the principle itself isn't the problem—inconsistent application is. Muhammad Khan of Satellite Ground Station, Pakistan, frames it as an execution gap rather than a conceptual failure: "Least privilege isn't broken, our execution is. With identity sprawl, CI/CD pipelines, and multi-cloud APIs, what we need is dynamic access governance: policies that adjust with user roles, task context, and risk scores."

Modern tactics, timeless principle

Emerging access management approaches aren't replacing least privilege—they're evolving it. Rory Bray of IBM sees just-in-time access as an extension of the core concept: "It's about only what you need and only as long as you need, with oversight. There are new tools to make this easier, but it was always possible and always advisable." Caleb Sima of WhiteRabbit suggests focusing energy strategically rather than universally: "One solution to the never-ending least privilege problem is by focusing on crown jewels. What areas or critical systems are the most important and apply the effort there, vs chasing the never-ending dream of the entire organization."

Implementation over ideology

The failure isn't in the principle—it's in how organizations operationalize it. Ron Yankelevitz of Next Insurance argues that modern techniques are simply better implementations: "Just-in-time access, step-up approvals, auditability, those aren't replacements for least privilege, they're how you achieve it in modern environments." Matthew Halsey identifies where things often break down in practice: "What likely causes problems like these are people in positions of power (Heads of departments or members of the C-suite) circumventing proper access control policy because 'what I need is super business critical and needs doing NOW.'"

Pragmatism over purity

Doug Mayer of WCG takes a practical view of security terminology and implementation: "[Terms like least privilege and zero trust] were never alive to [at one time] say they are dead. But rather they're only buzzwords to give the security professional a term to get the business thinking about helping us to help them." He advocates for an incremental approach focused on tangible outcomes: "It's about prioritizing and applying where possible because the little wins make a difference and with enough little improvements the attack surface is harder for adversaries."

Thanks to our Security Tip Sponsor, Tenable

Thanks to our podcast sponsor, Cyera

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Department of Know

Our LIVE stream of The Department of Know happens every Monday at 4 PM ET / 1 PM PT with CISO Series producer Richard Stroffolino, and a panel of security pros. Each week, we bring you the cybersecurity stories that actually matter, and the conversations you’ll be having at work all week long.

Monday’s episode featured Rob Teel, field CTO, GigaOm, and Davi Ottenheimer, vp, digital trust and ethics, Inrupt. Missed it? Watch the replay on YouTube and catch up on what’s shaping the week in security.

Join us again next week, and every Monday.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

“LinkedIn gives you until Monday to stop AI from training on your profile” (More here)

“Turns out my smart vacuum was a spy that could self-destruct” (More here)

“AI Security Gap: 98% Adopt LLMs, 24% Lag in AI Security” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [11-07-2025] "Hacking Remediation"

• [11-14-2025] "Hacking Cybersecurity Marketing"

• [11-21-2025] "Hacking the Budget Battle"

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.