🟠 High | Source: The Register — Security
A security leader exempted themselves from multi-factor authentication (MFA) requirements that were enforced for regular staff, creating a privileged account without MFA protection. This is a textbook example of executive exceptions undermining security policy, leaving high-value accounts — which are prime targets for attackers — exposed. It highlights how cultural and political pressures can erode even basic security controls.
Security Architect’s Take: Enforce MFA unconditionally at the identity provider or cloud platform level using conditional access policies or SCPs, ensuring no role or account — including executives and security leadership — can bypass controls through policy exemptions rather than relying on manual compliance.
Original advisory: Security boss thought MFA would be too much security