News Archives - J Wolfgang Goerlich

Archive for the ‘News’ Category

Revisiting lessons learned from LastPass 2022

Posted January 15, 2026 by Wolf Goerlich

Old data breaches never die. Especially when regulators shine a light on them. Last month, the UK’s Information Commissioner’s Office (ICO) put a 2022 incident at password management company LastPass back in the news cycle, after fining it £1.2m for GDPR infringements.

Excerpt from: AI Autopsy: Why the ICO fined LastPass £1.2m

Although LastPass subsequently changed its policy, at the time of the incident, it allowed employees to link their LastPass business and personal accounts, meaning that both could be accessed with the same master password.

This was a key gap in the firm’s security posture, says Wolfgang Goerlich. “The LastPass incident shows that logical separation without trust separation is a security flaw,” he tells Assured Intelligence. “We must separate personal, daily professional, and privileged activities. That separation begins with credential stores and extends into accounts, profiles and computing hardware.”

LastPass’s failure to mandate this at the time enabled the attacker to access the decryption key in the engineer’s Employee Business Vault, thereby decrypting the SSE-C key. It also got them the AWS access key. With those assets in hand, the attacker could access the AWS backups.

The ICO’s penalty notice specifically cites the failure to mandate the separation of personal and business accounts, particularly for senior executives who were high-profile targets.

Read the full article: https://assured.co.uk/2026/ai-autopsy-why-the-ico-fined-lastpass-1-2m/

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category. Do you want to interview Wolf for a similar article? Contact Wolf through his media request form.

AI in cybersecurity operations

Posted August 25, 2025 by Wolf Goerlich

AI’s emergence as a transformative force is spurring CISOs to rethink how their teams operate to harness the technology’s potential and better defend its use across the organization.

Excerpt from: How AI is reshaping cybersecurity operations

Goerlich observes, “The future of security operations is going to be AI versus AI. It’s going to be machine on machine, with people in the cockpit making sure the right things are happening — or on the adversity side, making sure their attacks will be carried out. That’s really going to make us rethinking how we’re doing our security operations.”

Read the full article: https://www.csoonline.com/article/4042494/how-ai-is-reshaping-cybersecurity-operations.html

Wolf’s Additional Thoughts

The part I’m continually working on, and sometimes struggling with, is where and when to deploy AI. Our people need to be better and stronger. You don’t get stronger by renting a forklift to lift the weight, you get stronger by lifting the weights. Similarly, we won’t get smarter by getting an AI to do the work. That said, many areas immediately benefit from automation and don’t weaken the team through automation. Those are the sweet spots I look for, with AI in the SOC.

Multi-cloud Security challenges

Posted July 11, 2025 by Wolf Goerlich

From inadequate visibility to access management complexity, multicloud environments take baseline cloud security issues to another level.

Excerpt from: 5 multicloud security challenges — and how to address them.

Some CISOs opt to have a single security program for their entire cloud environment while others take a cloud-specific approach. Each strategy has pros and cons, says Wolfgang Goerlich, IANS Research faculty and a public sector CISO.

“If you’re treating all clouds the same, if you have a unified security program, then that means you’re not using the native security tools and you’re not driving the value out of each cloud. And not all solutions will pull in data [from each cloud provider] with fidelity, and not all apps will be as granular as the native tools,” he explains. “But if you go native, if you do a deep dive into each cloud, you add more tech and you probably won’t have teams who can work across the different clouds, so you create more challenges with processes, staff, and technology.”

Goerlich doesn’t list one option as better than the other but instead stresses the need to weigh the benefits and drawbacks of each one when devising an enterprise security plan.

“It’s all about the tradeoffs,” he says. “You can organize your team by cloud to drive more value from native capabilities, or have your team know enough about each cloud to effect change, or take it to a high level and not use the native tools.”

Read the full article: https://www.csoonline.com/article/4009247/5-multicloud-security-challenges-and-how-to-address-them.html

Wolf’s Additional Thoughts

It is the tug‑of‑war between unified vs. cloud‑specific security controls. It is a balance between manageability and defensibility. Often the culture of the organization and the design of the InfoSec team makes more of a difference than a specific tool or strategy.

Balance business continuity with other responsibilities

Posted April 2, 2025 by Wolf Goerlich

With business continuity, CISOs must navigate a complex mix of security, business priorities and operational resilience — often without clear ownership of the process.

Excerpt from: How CISOs can balance business continuity with other responsibilities

While CISOs may find that their remit is expanding to cover business continuity, a lack of clear delineation of roles and responsibilities can spell trouble.

It’s becoming more common to be part of the CISO toolkit, but there’s still a lot of back and forth around who should own BCDR and how widely it should be deployed, according to Goerlich. “I’ve been in organizations where BCDR was something done separately, where we were a partner, but not directly involved. I’ve been in other organizations where I was the primary driver of the program,” says Goerlich.

Whether or not the CISO defines downtime metrics depends on who has responsibility for the program, says Goerlich. Either way, it’s driven by the pain the organization feels according to the business impact analysis. For example, recovery time objective (RTO) will vary according to the industry and relevant considerations such as safety in manufacturing and healthcare and integrity or business process completion rates in financial services.

“When it comes to third-party risk and supply chain management, if it’s the CISO’s responsibility, it’s taking all the work the CISO is doing and adding BCDR requirements to it and then re-auditing,” says Goerlich.

In one case, he assisted a bank to audit its SLA, starting with matching its internal SLAs to the service providers SLAs and then conducting spot visits with some of those service providers to see if they could deliver on those SLAs. “Many of them weren’t as prepared as they said, many had strategies that were ineffective, and many had things the sales team was promising, that the technical team was unaware of or unable to respond to,” he says.

The confusion about who owns ultimate responsibility for business continuity and disaster recovery is part of the ongoing CISO struggle to become a true business partner.

Read the full article: https://www.csoonline.com/article/3855823/how-cisos-can-balance-business-continuity-with-other-responsibilities.html

Wolf’s Additional Thoughts

I grounded my security program at Munder Capital on our BCP/DRP. In my current role as CISO of Oakland County, I’m again involved in the continuity and recovery program. These provide a rich set of inputs on what matters to the organization, allowing for informed and intelligent risk management. Don’t overlook it.

Text Message Scams

Posted August 27, 2024 by Wolf Goerlich

Don’t click on the link you received about unpaid tolls. It’s likely a scam.

Excerpt from: If You Get This Text Message, It’s Probably a Scam.

Unpaid toll scams are on the rise, according to the FBI. The agency has received more than 2,000 complaints since March. Unpaid toll scams are classified as smishing, whereby bad actors use text messages and pretend to be a part of a company to extract your personal information.

Toll road scam texts often convey a false sense of urgency. This tricks you into acting quickly before you even consider the possibility that it may be a scam.

“Scared people moving quickly make poor decisions, which is exactly what a scammer wants,” Goerlich said. “If a message makes you feel rushed or afraid, trust your intuition and stop responding.”

Read the full article: https://www.cnet.com/personal-finance/identity-theft/if-you-get-this-text-message-its-probably-a-scam/

Wolf’s Additional Thoughts

Take a beat, take a moment, center yourself, and click from a place of calm. That’s my security awareness advice. While the tactics have changed over the decades, the one thing scams have in common is scaring people into move action. So give yourself a time to think.

Ways CISOs Can Stay Ahead

Posted July 25, 2024 by Wolf Goerlich

Security leaders are expected to defend their organizations against existing and emerging threats. Here are some tactics they can use to crack down on the enemy.

Excerpt from: 9 Ways CISOs Can Stay Ahead of Bad Actors

It is often said that CISOs need to be right all the time and bad actors must only be right once. According to Wolfgang Goerlich, faculty member at independent cybersecurity research and advisory firm IANS Research, that mindset is counterproductive.

“That’s not the case. The criminals are fast, they’re strong, but there are things we can do. I’ve always started with threat intelligence [because] I want to know what the criminals are doing, what their tactics and procedures are. I want to know some good ways to stop them in ways that don’t interfere with my organizations,” says Goerlich. “Security is only as good as the last time you checked, so we will do tabletop exercises, drills, red team exercises and test all those ways a criminal would move through our environment, and ensure we have multiple ways to stop and catch them.”

There are many other things CISOs are doing to stay a step ahead. The following are some examples.

Read the full article: https://www.informationweek.com/cyber-resilience/9-ways-cisos-can-stay-ahead-of-bad-actors

Things to Consider When Buying a Password Manager, U.S. News

Posted April 25, 2024 by Wolf Goerlich

Modern life means the proliferation of passwords. From banking to BBC iPlayer, nearly every website or application requires creating a password. But remembering multiple passwords is cumbersome and using the same easy-to-remember password for every application is a security nightmare. This is where password managers have come into their own

Excerpt from: Best Password Managers in the UK

Things to Consider When Buying a Password Manager

Security features and encryption. “It’s important to determine whether your passwords are safeguarded with multi-factor authentication and if the protection is structured so that only you have access to your data,” says Wolfgang Goerlich, faculty member at cybersecurity research and advisory firm, IANS Research. “This is commonly known as zero-knowledge architecture, which is a great way of saying that the vendor cannot access my passwords and secrets.”

Data backup and sync. For business users with “higher demands on the availability and integrity of their password manager”, Goerlich says that it is important to look into data recovery options, especially if the product is cloud-based: “If the cloud becomes unavailable, the password managers need to be able to continue to function.

Read the full article: https://www.usnews.com/uk/360-reviews/privacy/password-managers

Passkey Authentication, ITProToday

Posted March 2, 2024 by Wolf Goerlich

Many organizations are interested in using passkeys instead of conventional passwords, but how much better are they?

Despite rising concerns about password security and a growing trend towards passkeys and other multifactor authentication tools, passwords remain the primary mode of authentication.

Excerpt from: Is Passkey Authentication More Secure Than Traditional Passwords?

Organizations are advised to use MFA on every website and application. For added security, users should use MFA methods with a physical token or software-based authenticators rather than less secure methods like text or email-based authentication.

Wolf Goerlich, a faculty member at IANS Research, suggested that IT professionals expand their focus beyond the initial authentication factor. “This should include device identity and posture, and the context and conditions of the request,” Goerlich said. “This risk-based authentication provides a defense against account takeovers by session hijacking, along with other common attack techniques.”

Goerlich also recommended that development teams pay attention to session handling, giving careful consideration to the detection and prevention of session hijacking.

Read the full article: https://www.itprotoday.com/identity-management-and-access-control/passkey-authentication-more-secure-traditional-passwords

Navigating an Evolving Landscape, Forbes

Posted February 25, 2024 by Wolf Goerlich

The cybersecurity industry is undergoing significant shifts driven by evolving threats, technological advancements, and changing market dynamics. Wolfgang Goerlich recently noted, “There are certainly a lot of conversations going around with respect to how to do tool consolidation. ‘How do I simplify my security portfolio?’”

Excerpt from: Navigating The Evolving Landscape Of Cybersecurity

5 Questions For CISOs. With thousands of cybersecurity vendors, it can be daunting to evaluate and choose from among the myriad of tools and platforms available. Here are some key factors CISOs should consider:

1. How much visibility do you have of your network?

2. How many tools or platforms do you have to correlate to get a comprehensive view of your environment?

3. Can you access your data from anywhere without adding additional cost?

4. Are you relying too heavily on a single tool or technology?

5. Can your visibility and security scale effectively as your IT environment expands?

Read the full article: https://www.forbes.com/sites/tonybradley/2024/02/23/navigating-the-evolving-landscape-of-cybersecurity/

Passwordless authentication supports Zero Trust

Posted February 14, 2024 by Wolf Goerlich

Passwordless authentication can make a zero-trust environment even more secure. Here’s what state and local governments need to know.

Excerpt from: How Passwordless Authentication Supports Zero Trust

State and local government agencies carry the heavy burden of collecting and managing large amounts of sensitive data to bring essential services to citizens. Naturally, they want to be on the cutting edge of cybersecurity, which is where the zero-trust security model comes in. And now, we’re seeing an innovation that could bolster zero trust’s already formidable defenses: passwordless authentication.

“When we think about zero trust, we want to regularly assess trust and evaluate everything,” Goerlich says. “If we’re constantly going to users and having them put in codes, PINs and passwords, we’re going to get a lot of resistance. So, I think many roadmaps that are successful for state and local governments pursuing zero trust are introducing passwordless as a way to reduce user friction while driving up assurance around identity.”

Passwordless authentication and zero trust work together. An agency may check a user’s fingerprint or face or have a user enter a PIN, but an agency that employs zero trust will also make sure the user is on the right computer in the right location and is behaving in a way that’s expected.

“This is the future of multifactor: implementing the strongest possible factors and addressing concerns around phishing and other common attacks,” Goerlich says.

How Can State and Local Agencies Implement Passwordless Authentication?

Read the full article: https://statetechmagazine.com/article/2024/02/how-passwordless-authentication-supports-zero-trust-perfcon