CCISO (712-50) Executive Decision Simulation

This simulation trains you to approach cybersecurity challenges from a strategic, executive-level perspective. Evaluate the business impact, apply governance frameworks, and select the best path forward.

Executive Briefing

You are the CISO of a large enterprise. The organization heavily utilizes Single Sign-On (SSO) to provide frictionless access for employees. This includes access to the enterprise VPN and the Employee Self-Service HR portal, where personnel manage sensitive data such as direct deposit banking information.

Business Context

Recently, the industry has seen a massive spike in highly targeted phishing campaigns aimed at redirecting employee payroll deposits and establishing unauthorized remote access. While employee convenience remains a core business objective, the financial liability of payroll fraud and the systemic risk of VPN compromise have exceeded the organization's risk tolerance.

Decision Scenario

The Executive Board has mandated a highly resilient, "permanent" solution to stop credential compromise via phishing. You must evaluate various controls (administrative, technical, and operational) and present the best technological safeguard that guarantees identity verification without requiring constant, error-prone human judgment.

Question

Scenario: Your organization employs single sign-on (user name and password only) as a convenience to your employees to access organizational systems and data. Permission to individual systems and databases is vetted and approved through supervisors and data owners to ensure that only approved personnel can use particular applications or retrieve information.

All employees have access to their own human resource information, including the ability to change their bank routing and account information and other personal details through the Employee Self-Service application. All employees have access to the organizational VPN. The organization wants a more permanent solution to the threat to user credential compromise through phishing.

What technical solution would BEST address this issue?

Executive Hint: The board is asking for a "technical" and "permanent" solution. Evaluate which option relies on technology rather than human behavior, and directly neutralizes the threat of a stolen password.

Strategic Analysis

1. What is the real problem?

Phishing exploits the weakest link in any security architecture: human psychology. Passwords, regardless of length or complexity, can be willingly handed over by a deceived employee. The business problem is the unacceptable financial liability of payroll fraud and the catastrophic risk of unauthorized VPN access into the corporate network.

2. Business vs. Security Perspective

The business prioritizes frictionless access to maintain productivity (hence, SSO). Security requires undeniable proof of identity. The strategic compromise must bridge this gap by enforcing strong authentication that mitigates compromised credentials without severely hindering daily operations.

3. Risk and Impact Analysis

Compromised VPN credentials allow attackers internal network traversal, often leading to ransomware deployment or massive data exfiltration. Compromised HR portal access leads to direct financial theft via payroll misdirection. Both scenarios represent severe, high-impact risks that demand robust technical mitigation.

4. Why "Multi-factor authentication employing hard tokens" is the BEST answer

MFA with hard tokens (such as FIDO2/WebAuthn hardware keys) is a technical control that provides near-absolute defense against credential phishing. Even if an employee is tricked into revealing their username and password on a fake site, the attacker cannot replicate the cryptographic challenge-response of the physical token. This satisfies the board's requirement for a "permanent" and "technical" solution to credential compromise.

5. Why other options are weaker

B (90-day password changes): Modern governance frameworks (e.g., NIST 800-63B) explicitly advise against arbitrary password rotation, as it encourages weak passwords and does absolutely nothing to prevent real-time phishing.
C (Decreasing admin privileges): While the Principle of Least Privilege is essential, it does not solve this specific scenario. The prompt notes that all employees have access to their own HR data and the VPN, which is where the risk lies.
D (Professional user education): User education is an administrative control, not a technical one. Furthermore, humans are fallible; training reduces risk but can never be considered a "permanent solution" to credential theft.

Mini-Lesson: Identity & Access Management (IAM) Governance

Defense-in-depth requires balancing administrative controls (training) with technical controls (MFA). When the impact of a compromised identity is severe (e.g., VPN access, financial systems), technical enforcement must supersede convenience. A CISO must align controls with risk tolerance: high-risk access vectors demand high-assurance authentication mechanisms.

EXECUTIVE TAKEAWAY

"To effectively neutralize credential phishing, organizations must transition from relying on human infallibility to enforcing cryptographic proof of identity."

Ready for the next leadership challenge?

Explore more CCISO simulations