Security Director Opposed MFA, Citing Over-Security Concerns
A recent IT security implementation faced unexpected resistance from a senior executive who believed multi-factor authentication was excessive, highlighting a disconnect between security best practices and executive perception.


A recent IT security rollout at a customer site encountered significant resistance from a senior director, who reportedly believed that implementing multi-factor authentication (MFA) constituted “too much security.” The incident, shared by an IT professional identified as “Colin” to The Register’s “On Call” column, underscores a potential disconnect between cybersecurity best practices and executive-level perception of security measures.
The customer had embarked on an initiative to enhance its Microsoft 365 security posture, aiming to improve its Secure Score, a metric used by Microsoft to evaluate an organization’s security resilience. Colin and his team were tasked with enabling MFA across the board, a standard security baseline aimed at mitigating unauthorized access.
Executive Opposition to MFA
The implementation proceeded smoothly until the following morning, when a senior director, allegedly the former COO of a cybersecurity company, contacted the service desk with strong objections. The director claimed that the MFA rollout had crippled a critical invoicing system and would lead to severe financial repercussions.
Colin and his colleagues investigated the claims and discovered that the issue was not widespread, affecting only a few phones. The core problem was traced to the invoicing software, which, despite promising MFA support, relied on buggy underlying software to function.
However, the director was not swayed by this technical explanation. Instead, she demanded an immediate rollback of the MFA implementation, a decision that reportedly remains in place, effectively reverting the company’s security to a less secure state.
Refusal to Wait for Workarounds
Colin expressed surprise that a former cybersecurity COO would not wait for a workaround or a more detailed explanation of the issue. This executive’s insistence on an instant rollback, despite the security implications, prompted the IT team to comply with her demand for “no MFA, and worse security.”
This was not an isolated incident of questionable judgment from this particular director. Colin recounted other instances of nonsensical requests, including demanding an engineer who couldn’t drive visit a remote site urgently to fix a printer. In another bizarre claim, the same executive attributed a power outage to Colin’s work on M365.
Implications for IT Security
The situation highlights a challenge faced by many IT and security professionals: navigating the executive landscape where security decisions can be influenced by factors other than pure risk assessment. The perception that MFA is an impediment rather than a necessary safeguard can lead organizations to compromise their security posture.
For IT and security teams, such resistance can be demoralizing and counterproductive. It underscores the need for effective communication and education at all levels of an organization, particularly among senior leadership, to ensure a shared understanding of cybersecurity threats and the importance of robust protective measures. The incident also raises questions about the effectiveness of security leadership when faced with perceived inconveniences.
Key facts
| Aspect | Detail |
| :———————- | :—————————————————————— |
| Event | Rollout of MFA met with executive opposition |
| Reported Issue | Invoicing system failure allegedly caused by MFA implementation |
| Actual Cause | Buggy invoicing software, not MFA itself |
| Executive’s Stance | Believed MFA was “too much security”; demanded immediate rollback |
| Source of Information | “On Call” column in The Register, shared by “Colin” |
This situation is relevant to ReviewArticle readers as it pertains to the practical implementation and reception of security tools and policies within organizations. The executive’s stance on MFA, questioning its necessity and impact on operational efficiency, is a recurring theme in discussions about cybersecurity adoption. It sheds light on the challenges of promoting security best practices when faced with resistance rooted in a different perception of risk and operational impact. Understanding these dynamics is crucial for anyone involved in deploying or managing security technologies.
Source: The Register AI – Security boss thought MFA would be too much security (https://www.theregister.com/security/2026/06/26/security_boss_thought_mfa_would_be_too_much_security/5261934)
Datos clave
| Punto | Detalle |
|---|---|
| Fuente | The Register AI |
| Fecha | 2026-06-26T06:30:00+00:00 |
| Tema | Security boss thought MFA would be too much security |
Source
The Register AI Publicacion original: 2026-06-26T06:30:00+00:00
Maya Turner
Colaborador editorial.
