By Michael Henry, CEO, Accelerynt
As a security or IT leader, you’ve known for years that the help desk is a soft target. You’ve seen the “medium-risk” findings from pen tests. You’ve pushed for training. You’ve reviewed the policies.
The $380 million Clorox lawsuit and the $100 million MGM breach have changed the game.
What was once a “medium-risk” operational finding is now a board-level, quantified financial liability. The gap between your written policy and your help desk’s real-world practice is no longer a training issue; it’s a catastrophic legal and financial risk.
Your board has read the headlines. They are reading governance articles (like our first one). They are being coached by auditors and GCs. They are about to shift from asking, “Are we secure?” to demanding, “Can you prove we aren’t vulnerable to that specific attack?”
This article is your playbook to answer that question. It’s not about doing another audit. It’s about delivering executive-level proof.
The CISO’s Dilemma: Trapped by Old Fixes
The pressure from the board is to “fix this,” but the traditional CISO toolkit is poorly suited for this new challenge. This leads to three common traps:
Trap 1: The “Audit & Train” Cycle
The default response is to (1) review the help desk policy and (2) assign more training. This is a “compliance” fix for an engineering problem. It fails because it doesn’t change the system. It still relies on a human operator to make a perfect decision under pressure, which is precisely what failed at Clorox and MGM.
Trap 2: The “Change Management Wall”
Even when you identify a real fix (e.g., adding an MFA step-up or callback), you run into the “friction” debate. The business or the Change Advisory Board (CAB) pushes back, fearing a slowdown in IT support or executive complaints. You get stuck in a “change management” loop, leaving the vulnerability open while you debate.
Trap 3: The “Vendor Black Box”
If your help desk is outsourced, the trap is even worse. You’re told you can’t “test” the vendor’s employees, or you’re limited to reviewing their SOC 2 report. You’re left holding all the risk while your vendor contract gives you no real leverage. Your only move is to “escalate” to your account rep, which changes nothing.
The Playbook: The “Active Assurance” Model for CISOs
To break these traps, you must shift from a “compliance” mindset to an “assurance” model. This is an executable 3-step framework designed to deliver a tangible win-fast-and give you the exact “board-ready proof” your leadership needs.
Step 1: VALIDATE (Run the Real-World Test)
Stop auditing policies. Test the actual process. A controlled, “Clorox-style” test is the only way to get an objective baseline. This isn’t a year-long pen test; it’s a focused, two-week engagement to answer one question: “Can we be breached the same way?” In our experience conducting these, most organizations uncover critical, high-risk vulnerabilities in the first few days. This test gives you the objective evidence you need to override the “friction” debate.
Step 2: STAGE (Build the “Quick Win” Guardrail)
This is your antidote to the “Change Management Wall.” Do not just report the finding. Use the finding to immediately stage a technical guardrail in a test environment.
This “staged control” (e.g., an automated callback, a manager approval notification, or an MFA step-up) is configured, documented, and ready for deployment. This completely reframes the conversation with the business. You are no longer proposing a theoretical fix; you are demonstrating a tested, proven solution. You’ve turned a problem into a “quick win” that proves immediate progress.
Step 3: GOVERN (Deliver the Board-Ready Proof)
You now have the two key ingredients for an executive conversation: (1) objective evidence of the risk and (2) a staged, ready-to-go solution. The final step is to package this into a board-ready report.
This isn’t an audit log. It’s a 3-page executive summary:
- The Finding: “We ran a controlled test; here is the vulnerability we found.”
- The Solution: “We have already staged, tested, and documented a technical guardrail to fix it. Here is the deployment plan.”
- The Roadmap: “Here is the 90-day plan to address the other, systemic issues this test uncovered.”
From Liability Manager to Executive Leader
The $380M question is coming to your boardroom. When it does, this playbook allows you to be the most prepared person in the room.
Instead of being on the defensive, you are in command. You are not “looking into” a problem; you are presenting a “board-ready” solution. You’ve successfully transformed a “medium-risk” IT issue into a high-visibility, executive-level win.
If you are preparing for a board conversation about help desk security, or need to validate whether your controls would survive a Clorox-style attack, start with a controlled test of your actual process, not a review of your policy documents. This is how you deliver proof.
About Accelerynt
Accelerynt delivers operator-led security assessments that test vendor governance, optimize Microsoft security investments, and map operational risk to business impact. We provide board-ready evidence within weeks. Every assessment includes documented findings and outcome guarantees. Contact us to schedule a discovery call.