When Visibility Breaks and Everything Feels Urgent, Identity Becomes the Way Back to Control
Published
Key Takeaways
- At Keeper Security, leadership is not about managing tools; it’s about managing risk as a business function.
- There needs to be a shift in organizational culture in which security is seen as an enabler of the business and not the “no” shop.
- Boards have become more engaged in cybersecurity and seek defensible answers on risk.
- Barney warns that if you don’t control identity, you don’t control risk.
- You must know at an enterprise level who, whether people or machines, has access to data, and at what levels.
CISO Decoded with Shane Barney, Chief Information Security Officer at Keeper Security, who brings focus to the problem security teams feel every day: loss of visibility. Barney has spent over a decade in federal cybersecurity, including leadership roles at USCIS, working on systems where failure carries real consequences.
Barney observes that attackers are logging in. Credentials, service accounts, API keys, and tokens are central to how breaches unfold. Security teams are not short on tools. They are short on clarity.
Many of these identities are created for efficiency, but rarely tracked, rotated, or governed consistently. At the same time, organizations continue to add tools to manage risk. More tools often mean more fragmentation. When controls are not enforced consistently, gaps appear. And those gaps are what attackers look for.
Barney’s aims to reduce complexity, enforce identity controls, automate where scale demands it, and measure security by outcomes. Because in practice, security does not fail from lack of effort. It fails when systems become too complex to see and too fragmented to control.
Vishwa: Can you walk us through your journey to becoming a CISO and what shaped your approach to security leadership?
Shane: My path to becoming a CISO was shaped over more than two decades in federal cybersecurity, particularly at US Citizenship and Immigration Services within the Department of Homeland Security. That environment really forces clarity, given that you're protecting highly sensitive systems under constant pressure, with real-world consequences if you get it wrong.
What shaped my leadership approach was the shift from reactive security to operational discipline. Early on, security teams were overwhelmed by alerts and manual processes. We moved toward automation, intelligence-led defense and identity-centric controls. That transition was key in delivering measurable outcomes, including significant reductions in manual workload and improved response times.
I’ve carried that forward into my current role. Security leadership is no longer about managing tools; it’s about managing risk as a business function to ensure continued operational resilience. That means aligning security decisions to mission impact, simplifying complexity wherever possible and building systems that are resilient by design.
Vishwa: Where do you encounter the most friction in fulfilling a CISO’s responsibilities, and what changes would help address it more effectively?
Shane: The biggest source of friction is the gap between security requirements and operational realities. Security is often perceived as a control function that slows the business down, rather than an enabler of resilience. The part of the organization that says “no” to good ideas.
Much of this friction stems from fragmented tooling and inconsistent identity controls. When organizations rely on siloed systems, they lose visibility and introduce gaps that attackers will invariably exploit.
Consolidation and clarity are essential. A unified approach to identity and access, where policies are enforced consistently and visibility is centralized, reduces both risk and operational drag. Equally important is the ability to automate.
If security processes rely on human intervention at scale, they will fail at scale. This is why organizations are increasingly shifting toward unified, identity-centric platforms that deliver visibility, control and enforcement in a single architecture.
Perhaps most importantly, there needs to be a shift in organizational culture in which security is seen as an enabler of the business and not the “no” shop. Business components should come to value security as a team player and ensure they have a seat at the table as new ideas and concepts are discussed and put into action. The CISO’s job is to ensure that the business is securely successful.
Vishwa: How have expectations from boards influenced the way you approach security leadership?
Shane: Boards have become far more engaged in cybersecurity, both out of operational necessity and statutory requirement. As such, their expectations have also matured. They’re no longer looking for technical details. Instead, they expect clear, defensible answers on risk.
That changes how you operate as a CISO. You need to translate complex threats into business impact:
- What is the exposure?
- How likely is it, and
- What are we doing to deter it?
It also drives accountability. Boards expect measurable outcomes, not just activity. That means moving beyond compliance-based reporting to demonstrating how security controls are actively reducing risk.
Vishwa: In your experience, where do organizations tend to underestimate identity-related risks?
Shane: Most organizations still underestimate how central identity has become to modern attack chains. The focus is often on endpoints or networks, but attackers are targeting credentials because they provide legitimate access.
The truth of the matter is that identity is core to security. It is foundational to everything a cybersecurity program does. If you cannot determine at an enterprise level who, whether people or machines, has access to your network, systems, and data, and at what levels, you have not just lost the battle, you have lost the entire cyber war. Identity security is foundational to cybersecurity.
The biggest blind spot today is non-human identities (NHIs) such as API keys, service accounts, and tokens. There has been a widespread proliferation of these NHI’s because they promise more efficient operations. However, they are often poorly governed, rarely rotated and widely distributed across environments.
Once compromised, they allow attackers to move laterally without triggering traditional controls. As automation and AI adoption accelerate, the number of NHIs will continue to grow rapidly, expanding the attack surface. That’s why identity should be treated as the primary control plane, not just an authentication layer. If you don’t control identity, you don’t control risk.
Vishwa: How do you decide which risks require escalation and which can be managed within the team?
Shane: It comes down to impact and scope. If a risk has the potential to affect mission-critical systems, sensitive data or regulatory obligations, it requires escalation. Escalation is as much about visibility as it is about severity.
Leadership needs to understand risks that could materially affect the organization’s ability to operate. At the same time, mature security teams should be empowered to manage routine risks independently. That balance is critical – if everything is escalated, nothing is prioritized effectively.
Vishwa: How has the rise of identity-based attacks influenced approaches to access control?
Shane: Identity-based attacks have fundamentally changed access control from a static model to a dynamic one. Traditional approaches assumed that once a user was authenticated, they could be trusted. That assumption no longer holds.
Access now needs to be continuously validated based on context, behavior and risk. This is where zero-trust principles become operational. Access should be time-bound, task-specific and continuously monitored. The goal is to eliminate standing privilege and reduce the attack surface as much as possible.
Vishwa: What role do tools like password managers and PAM play in reducing everyday risk?
Shane: Password managers and PAM platforms play a foundational role because they address one of the most persistent weaknesses in cybersecurity: credential management. Password managers reduce reuse and improve credential hygiene, while Privileged Access Management (PAM) enforces least privilege and provides visibility into how access is used.
More importantly, modern approaches extend beyond passwords. Secrets management – protecting API keys and service credentials – is equally critical. Together, these controls limit lateral movement and reduce the likelihood that a single compromise leads to a broader breach.
Modern PAM solutions are no longer standalone tools, but part of a unified identity security platform that secures human and non-human access across the enterprise.
Vishwa: How do you approach adoption challenges when introducing security tools across teams?
Shane: Adoption fails when security is imposed rather than integrated. If a control disrupts workflows, people will find ways around it. The focus should be on reducing friction. That means aligning security controls with how teams already work, automating wherever possible and making secure behavior the default.
It also requires clear communication. People need to understand not just what they’re being asked to do, but why it matters in the context of real threats.
Vishwa: How do you assess whether a security solution is effectively reducing risk?
Shane: Effectiveness comes down to measurable outcomes, not feature sets. You should be able to answer a few key questions:
- Has the attack surface been reduced?
- Are privileged accounts better controlled and monitored?
- Has detection and response time improved?
If a solution doesn’t materially change those metrics, it’s only adding complexity rather than reducing risk.
Vishwa: How do you view the role of user behavior in modern attack chains?
Shane: User behavior remains central, but it’s important to frame it correctly. Attackers aren’t just exploiting mistakes; they’re exploiting trust, urgency, and cognitive overload, not just technical flaws.
Phishing, credential theft and social engineering all rely on users acting in good faith. At the same time, machine identities are now part of that equation and they operate at a scale and speed that humans cannot.
That’s why behavior needs to be monitored continuously, not just at the point of authentication. The focus should be on detecting deviations from expected activity and enforcing controls in real time.
Ultimately, security isn’t about eliminating human error – it’s about designing systems that remain secure even when it happens. Organizations that treat identity as the modern perimeter and enforce continuous control around it will be far better positioned to withstand today’s evolving threat landscape.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular