“When we select vendors, we tell them we’re not going to issue a password or even a token or a key, those are all examples of static authenticators,” he says. “But we’re also realistic, so if there is a product we need that requires passwords, then we require passwords to be rotated frequently. For us, the use of static credentials has become the exception, not the rule.”
2. Mandatory scheduled penetration testing
Although not a specific security tool, nevertheless mandatory scheduled pen testing is cited by some as an outdated strategy.
Attila Torok, CISO at tech company GoTo, for one, believes those once- or twice-a-year penetration tests done to satisfy regulatory or vendor requirements don’t effectively evaluate an organization’s true security posture. Rather, he says they capture only a snapshot of the environment’s security at one date in time.