Mind the Gaps: Incremental Steps Toward Real Security

Details of the Louvre Museum heist were revealed. In just about 8 minutes, thieves were able to make off with over $102 million in crown jewels. More incredible than the loot was how seemingly easy it was to pull off. In addition to physical security issues, the embarrassing detail of the password to the surveillance system was revealed: Louvre.

It is shockingly simple for something so important. It wasn’t like a dramatic scene from “Ocean’s 11.” Would it even have warranted a 10- second scene in “Hackers” or “Mr. Robot” to dictionary attack “Louvre?” Probably not. No AI-backed attack or advanced TTPs. Just a simple password. And yet, this is something we see every day in cybersecurity: gaps in security that can lead to catastrophic intrusions and, in turn, losses.

What are security teams to do? 

When consulting with teams across different industries and wide variance in maturity, it is the small steps that can close security gaps and improve security maturity. Real security doesn’t come from massive overhauls or expensive tools (though sometimes both are warranted). Real security is built through disciplined, incremental improvements that close everyday gaps-the kind that turn a minor oversight into a major breach.

Let us begin with something that costs zero dollars and requires no tooling-mindset. Easy for some, but a hurdle the size of Mt. Everest for others. The biggie: compliance=security. We need to look no further than big headline breaches of organizations with compliance responsibilities to know this is inherently false. Yet, I hear it time and again. This type of mindset gives organizations a false sense of security and is a hurdle to progress in maturity. Perhaps more cunning is the “security through obscurity” mindset. This is the “we are going to hide the problem. If we can’t see it, no one else will.” We do, in fact, see your non-standard port usage, your disguised file paths, and the proverbial key under the doormat. Your security team sees it. Your pentesters and attackers will find it. These are merely delay tactics and should not be confused with real security.

Next up: passwords. For the last 5 years, Verizon’s Data Breach Investigations Report (DBIR)¹ has identified account compromise, specifically through compromised credentials, as the top attack vector. In the Verizon 2025 DBIR, stolen or compromised credentials remain the most common initial access vector for data breaches, accounting for 22% of incidents analyzed. We all have them, multiple of them, and attackers want them. When defining what a secure password looks like, look no further than NIST².

NIST guidance recommends that a password should be at least 15 characters long. At 100 billion guesses per second, it would take a computer more than five hundred years to guess all the possible combinations of 15 lowercase letters.

That may seem like a lot of characters to memorize, but you can make it easier for yourself by making what Galluzzo calls a “passphrase.” A passphrase combines multiple real words together to create something that’s easier to invent and remember.

Enforcement of 15-character passwords (passphrase) lend to the 2025 NIST Password Guidance on passwords changing only when there is evidence it has been compromised. This recommendation comes from understanding user behavior. Frequent, forced password changes result in reused, simplified, and predictable passwords (read: weaker) by the users. Have a 90-day password policy? Chances are you will see a “clever” season-related password (Win+3r2025!). Special character? Check. Upper and lower case? Check. Numbers? Check. Sufficient length? Sure. Secure? No.

Bottom line: Having a 90-day password expiration is no longer the flex you think it is. It is a relic of cybersecurity’s past and ignores what we now know about user behavior on our networks. Use the evidence provided to strengthen your policies. Train users on passphrases with funny examples to keep them in their brains. Some examples in honor of a perennial holiday favorite “Christmas Vacation”: YouseriousClark91? OR IdontknowMargo!2005. With passwords like these, can you move your organization from the dreaded quarterly password change? Maybe not fully to never expire, but twice a year? Annual? The point is progress.

How could a discussion of security gaps not hit on vulnerability management? Patch and vulnerability management can quickly get away from organizations that don’t have a dedicated team and/or don’t have a sustainable and monitored plan. The back build of vulnerabilities can start to feel like an insurmountable task and teams start to measure their progress as surviving.

As a baseline, let’s assume that organizations have SOME sort of vulnerability scanning. Something that gives the organization an indicator of vulnerabilities within their environment. Maybe it isn’t optimized. Maybe there are gaps. That is ok. Get started by shaping a plan and then get started.

Formulating Your Organization's Approach

One can ask 10 cybersecurity professionals what a solid patch and vulnerability management plan looks like and you could very well get 10 different plans. Making the elements into your organization’s secret sauce for success is where there will be that incremental progress. Here are some of those elements, or considerations, when formulating or reviewing your organization’s approach.

1) CISA Known Exploited Vulnerability catalog: Know it. Incorporate it. Love it. For a bit of background, the CISA KEV catalog is a list of vulnerabilities that are mandatory for remediation for federal agencies. In order for a vulnerability to be on the list it must: have a CVE, must have evidence of active exploitation, and must have remediation action available.

While this list does not represent any mandatory requirements for non-Federal agencies, this is a great place for security teams to start. These are vulnerabilities being exploited in attacks, including the dreaded ransomware. Attackers already know how to exploit these vulnerabilities so closing this gap closes this vector. That is an improvement in security.

2) CVSS score: I have had organizations tell me that they only focus on *insert random CVSS score or rank*. Without much rhyme or reason for the benchmark, some have said Critical (CVSS 9.0-10). Others say High or Critical (CVSS 7.0 or higher). While not completely absent of logic, it is still myopic. About 88% of the CISA KEV has a CVSS score of 7.0 or higher. Leaving 12-13% of those knowingly exploited vulnerabilities untouched by security teams³.

3) Crown Jewels or Critical Assets: There is a tie for the worst answer given to the question “What are your most critical assets or crown jewels?” Answering either “Everything” or “I don’t know” lets me know we have a lot of work to do. If everything is important, nothing is of importance. Are you really telling me you treat the receptionist’s desktop the same as your production server? We know that isn’t true. If you don’t know, we need to figure that out quickly. Where is critical data stored? Think PII, GDPR, PCI. Think proprietary data. Trade secrets. Maybe the CEO’s laptop. If it crashes out or is compromised or is lost forever, would that impact business, operationally or otherwise? If the answer is yes, it could be seen as critical. Viewing it in this way leads to giving it more attention when it comes to managing its vulnerabilities.

With these basic elements in mind, we can have a go at making a plan. Maybe start with figuring out what CISA KEVs are sitting on your critical assets and how those can be tackled. Maybe it is legacy. Has risk been accepted and other defense-in-depth tactics been employed to protect the asset? And then we keep going forward, making progress along the way.

Why Validation Matters

Whatever the ratio of the basic elements is included in your secret sauce, an important element everyone needs to include is VALIDATION. I say this unequivocally. Check the console for deployment failures. Confirm on scan results that the vulnerabilities are no longer showing. Pentest defense-in-depth measures. Be sure. This isn’t a set it and forget it task. Validation truly closes these gaps.

Security maturity isn’t about eliminating risk-it is about making it harder for attackers to win. Every incremental step, from better passwords to closing the loop on patch deployments, is a move from checkbox security to real security and resilience.