I was in a board committee breakout with the CISO of a private company a few years ago. He walked us through his metrics: phishing simulation compliance, password reset rates, training completion. The numbers were good. The presentation was polished. I was bored.
I asked one question: who manages the security of the manufacturing equipment?
He paused. He said it probably wasn’t him. His guess was the SVP of manufacturing. He reports to the CIO.
Everyone in the room understood immediately what we’d just learned. The CISO had spent forty minutes telling us how well he was doing his job. Nobody had asked him about the job nobody was doing.
That’s not a criticism of the CISO. He was reporting on what he controlled, which is what every rational person does when they’re presenting to a board. The problem is that boards interpret that report as a picture of the organization’s security posture. It isn’t. It’s a picture of one part of it — the part with an owner. The rest stays off the agenda until something goes wrong.
What goes wrong
In the summer of 2024, a hacking group called NullBulge infiltrated Disney’s internal Slack environment. They didn’t find a vulnerability in Slack. They found an employee who downloaded a game mod that contained malware. The malware captured credentials. The credentials unlocked a password vault. The vault contained the keys to the employee’s Slack account. From there, NullBulge spent months pulling data from over 10,000 channels — 44 million messages, financial records, unreleased project details, passport numbers for cruise line crew members. More than a terabyte in total.
Disney responded by dropping Slack.
That’s the wrong lesson.
The conversation I keep thinking about
Before the breach, I was at an industry event with a senior security executive at a major entertainment company. He’d spent the day in vendor presentations. AI-powered detection, autonomous response platforms, next-generation everything. He wasn’t dismissive of any of it. He told me he knew in his gut that none of it would close his real gap.
His real gap was the fundamentals. File permissions that weren’t right. Accounts with access they shouldn’t have. Configurations that had drifted and never been corrected. He asked me a question I haven’t stopped thinking about: why can’t someone just invent a way to solve those?
The answer is that you can’t, and understanding why is the most important thing a security leader can internalize.
The chain that nobody owned
Walk through what actually happened at Disney. An employee downloaded malware. That’s an endpoint problem. The malware reached a password vault. That’s a credential management problem. The vault gave access to Slack. That’s a least-privilege problem. The attacker then moved through Slack for months without triggering a response. That’s a detection problem.
Every link in that chain is a known category of risk. Every fix exists. None of them are exotic. And none of them live solely within the security team’s authority to implement.
Endpoint controls require coordination with IT. Vault policies require agreement on what gets stored and who can access it. Slack permissions require someone to audit which accounts have access to which channels and enforce a standard. Monitoring requires a defined process for what gets flagged and who responds.
Each one of those fixes requires someone outside the security org to do something they haven’t prioritized, change a workflow they’re used to, or accept friction they’d rather not have. The CISO sees the whole chain. He doesn’t control most of it. And when he presents to the board, he shows them the metrics he owns — not the chain he can see but can’t move.
The gap is structural, not technical
Security strategy is written as if the CISO has authority over the environment. Implement least privilege. Enforce MFA. Remediate critical findings within 30 days. The documents read cleanly. The reality is that the people who need to execute those directives report to someone else, have competing priorities, and often don’t feel the risk the way the security team does.
This is compounded by drift. Every organization accumulates exceptions — a system excluded from the patching cycle because it’s too fragile to touch, an integration with broader access than it should have that nobody wants to revisit, an executive exemption from 2019 that’s still active because rescinding it requires a conversation nobody wants to have. These don’t show up in any single report. They accumulate in email threads and institutional memory until something goes wrong.
What you can actually do about it
The board story is where the fix has to start. A CISO presenting phishing compliance numbers to a board that doesn’t know to ask about manufacturing equipment isn’t a communication failure — it’s a governance failure. Boards need directors who understand enough about security to know what questions aren’t being answered.
That’s the work organizations like Digital Directors Network do. DDN works with boards and CISOs to close the conversation gap — giving directors the literacy to push past polished metrics and ask the questions that surface real exposure. Who owns the controls you don’t control? What’s off this slide and why? What would it take for something to go wrong that you wouldn’t catch? Those questions change what gets reported and what gets resourced. A CISO who knows the board will ask about manufacturing equipment will find a way to put manufacturing equipment on the agenda.
Once that conversation is happening, the operational work gets easier to prioritize. Most remediation stalls not because the fix is hard but because the list is endless and ownership is diffuse. Tools like Discern’s Pathfinder cut that list to the ten findings that carry the most actual risk in a specific environment — a focused ask is harder to defer than a hundred-item backlog. And Discern’s Resolve agent turns those findings into tracked work with assigned owners and a paper trail, which changes the dynamic with the IT team or line of business that needs to act.
The governance layer and the operational layer have to work together. Better board questions create the accountability pressure. Better tooling makes the work executable. Neither one alone closes the gap.
Back to the question
The executive who asked me why someone couldn’t just invent a way to solve the fundamentals already knew the answer. He’d spent twenty years watching organizations buy tools and remain exposed. The tools weren’t the problem. The problem was that fixing the fundamentals requires people to do unglamorous work that doesn’t show up in a vendor pitch, across organizational lines that security doesn’t control.
The CISO in that board meeting wasn’t hiding anything. He was reporting accurately on what he owned. The manufacturing equipment just wasn’t his problem — until it is, and by then it’s everyone’s problem.
Disney didn’t have a Slack problem. They had a discipline problem. And dropping Slack didn’t fix it.
If this is the conversation you’re trying to have inside your organization, connect@passarel.com is the right door.