Every organization will get breached. The question is not if but when, and how well you limit the impact. Nader Zaveri, Senior Manager in Incident Response and Remediation at Mandiant (now part of Google Cloud), handles multiple new investigations every week. With over 15 years of experience across IT security, infrastructure, and risk management, he brings a front-lines perspective on what actually works when organizations are under active attack, including a real-world story of implementing MFA number matching across 100,000 users in a single weekend during an active breach.
You can read the complete transcript of the episode here >
How should organizations prepare for and respond to data breaches?
Nader sees organizations that have spent significant money on security still get breached every week. The mindset shift is critical: move from “if we get breached” to “when we get breached” and focus on limiting impact rather than preventing all breaches.
The preparation framework:
- Document an Incident Response Plan: Without one, people panic and make rash decisions during a breach.
- Socialize the plan: Both leadership and technical practitioners must understand what happens during a breach, who gets informed, and the escalation strategies.
- Test with tabletop exercises: As Mike Tyson said, “everyone has a plan until they get punched in the face.” Tabletop scenarios are the cheapest way to test your IR plan without waiting for a real incident.
- Include all stakeholders: Tabletop exercises should bring together legal counsel, communications, social media, and the IR team. Often this is the first time these groups have been in the same room together.
After tabletops, graduate to simulated attacks with technical simulations like purple teaming. The key principle: never change the tire while the car is moving. Test everything in advance so that during a real incident response, the team executes from muscle memory rather than improvising under pressure.
How do you combat MFA fatigue and social engineering attacks?
MFA fatigue is one of the most common attack vectors Nader encounters weekly. Threat actors send repeated MFA push notifications until a user approves one out of frustration or trust. The solutions:
- Move to one-time passwords: Yes, it is more friction for users. But the security implications of push notification abuse are severe.
- Implement number matching: Microsoft Azure’s number matching requires users to enter a displayed number on their phone, proving a human is behind the request. Nader’s team implemented this across 100,000 users in a single weekend during an active breach.
- Add geolocation context: Show users where the login attempt originates. A request from an unexpected country is an immediate red flag.
- Restrict MFA enrollment by IP: Require that new device enrollments happen only from trusted IP ranges (corporate VPN or on-site). This prevents attackers from enrolling their own devices after initial compromise.
- Hardware keys as the gold standard: FIDO2/U2B keys provide the strongest authentication and are immune to fatigue attacks.
The real-world scenario is telling: during an active IR, the threat actor kept getting kicked out and re-entering through MFA fatigue on different users. The only way to stop them was implementing number matching organization-wide. During incidents, two things happen: the checkbook opens and security becomes the top priority. Organizations become willing to accept user friction that they would have rejected during peacetime.
When should organizations invest in certifications versus security posture?
Nader understands the need for certifications like SOC 2, ISO, and HIPAA from his risk assessment background. They serve regulatory requirements and help win contracts. But they are not enough:
- Certifications validate process and documentation: They confirm that policies exist and are followed. This is important but insufficient.
- Technical validation is separate: Red team exercises, purple teaming, and threat simulations test whether your security actually works under attack conditions.
- Know your threat landscape: This should dictate prioritization. You might get 200 findings from an assessment, but your threat landscape determines which ones to address first.
- Certifications do not prevent breaches: Many organizations Nader investigates have certifications in place. The breach happened anyway because technical controls did not match the documented processes.
The recommendation: get certifications where required for business reasons, but never assume they represent actual security. Always validate with technical testing against realistic threat scenarios.
Is security a top-down or bottom-up initiative?
Nader is unequivocal: security must be top-down, ten times out of ten. His personal experience illustrates why:
During his first seven years as an internal security professional, his recommendations consistently fell on deaf ears. Then expensive consulting firms would come in and make the same recommendations, and leadership would act on them. This is demoralizing but common. The turning point came when his leadership noticed the overlap and started giving his recommendations more credence.
From the consulting side, the dynamic is clear:
- Executives control prioritization: They decide whether security projects get resources or sit in the backlog.
- Budget authority matters: During incidents, the checkbook opens. Outside of incidents, security competes with every other priority.
- Board-level attention drives action: When the board understands the threat landscape, organizations make true leaps in security maturity.
For practitioners stuck in this cycle: do not get discouraged. Keep making recommendations, document them, and eventually the alignment between your advice and external validation will build your credibility internally.
How do you build accountability-driven security culture?
Nader’s cultural framework centers on one word: accountability. Security is everyone’s responsibility because it takes just one user approving a false MFA push to compromise an entire organization.
Building that accountability:
- Communicate the threat landscape regularly: Share real-life scenarios with leadership. Explain how ransomware has evolved from one or two people to fully functional organizations with specialized teams for initial access, lateral movement, and encryption.
- Make it tangible: Abstract threats do not motivate action. Specific examples of how organizations in your industry got breached, and what it cost them, change mindsets.
- Accept that some will not change: Not everyone will prioritize security until their organization gets breached. Focus on those who will listen.
- Use incidents as catalysts: During active breaches, security becomes the top priority and user friction becomes acceptable. Use that window to implement changes that would have faced resistance otherwise.
The evolution of ransomware illustrates why this matters: modern ransomware operates as a service with specialized teams. It is an organization attacking another organization. Understanding that gravity changes how leadership thinks about security investment. This accountability-first approach complements how other leaders think about shifting security culture across organizations.
