COMMENTARY: The company just approved a significant zero-trust investment that included microsegmentation, identity-first access, and continuous verification across the network’s infrastructure. The board signed off — and implementation proceeded.Now ask the CISO how many permanent exceptions exist in the company’s email security whitelist?[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]The answer will likely surprise many people — and it explains why organizations with mature zero-trust implementations still suffer business email compromise breaches that cost, on average, $50,000 to $120,000 per incident according to the FBI's IC3 report.Organizations adopted zero-trust because the old model couldn't survive modern threats. Castle-and-moat thinking — implicit trust inside the perimeter — created exactly the vulnerabilities adversaries exploited.The email whitelist has become the castle-and-moat thinking hiding inside many modern security architectures.Don’t think of zero-trust as just a network architecture. It's a principle. That principle should apply everywhere — including how organizations manage trust in email security. The tooling should support that principle, not undermine it.The organization’s zero-trust investment deserves tools that don't force security teams to dismantle it under operational pressure.Alan LeFort, co-founder and CEO, StrongestLayerSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The governance gap nobody talks about
The principles of zero-trust are clear: Never trust, always verify. No permanent access. Every connection authenticated. Every request validated.These principles get applied rigorously to network access, identity management, and application security. But they rarely get applied to email.Instead, email security operates under a different governance model — one in which exceptions are permanent by default, created under operational pressure, and rarely reviewed. Every whitelisted domain, every trusted sender exception, every "just make it work" accommodation punches a hole through the security architecture the company paid to build.This isn't a failure of security teams. It's a failure of tooling that forces an impossible choice.Consider what actually happens when email security generates false positives. The CFO can't send wire instructions — the bank relationship gets quarantined. Legal can't receive settlement documents from opposing counsel. The CEO's DocuSign contracts aren't getting through.These aren't hypothetical scenarios. They're Wednesday afternoon.Security teams face immediate pressure to restore business function. The deal closes today. The wire needs to go out before end of business. Legal has escalated to the C-suite. In that moment, the choice between "maintain zero-trust principles" and "keep the business running" isn't theoretical.They create exceptions. Whitelists. Permanent trust grants that solve the immediate problem and create the long-term vulnerability.Why exceptions are now a board-level issue
The compounding risk from email exceptions creates exposure that should concern every IT and business leader.- Vendor compromise: The trusted vendor — the one the company worked with for years, the one whose domain has been whitelisted — gets their email infrastructure compromised. It happens constantly. The attacker inherits the company’s whitelist. They're now trusted by all company systems. Their fraudulent requests bypass security entirely — and it’s exactly how modern business email compromise works.
- Executive exposure: Executives are typically the most whitelisted users in any organization — and therefore the most valuable targets. When an executive’s account gets compromised, the attacker benefits from every exception created to reduce friction for that user. The wire transfer request doesn't trigger alerts because security was told to stop scrutinizing those communications.
- Audit disconnect: Organizations demonstrate email security controls to auditors and report defenses are in place. The compliance box gets checked. But the whitelist file tells a different story — one that creates exactly the attack surface adversaries exploit. The audit passes. The breach still happens.
Five questions every IT leader should ask
The path forward isn't demanding that security teams stay more disciplined about exceptions. They're already making the best decisions available given their tools.Companies need to find out if their email security tooling applies the same governance principles they require everywhere else:- Do trust exceptions expire by default? Or do they persist indefinitely until someone remembers to review them?
- Does detection continue even when blocking gets constrained? Or does accommodating an executive mean creating a complete blind spot?
- Does impact get assessed before exceptions deploy? Or does the rule designed to help one user accidentally expose hundreds of others?
- Are decisions documented with business justification? Or do exceptions accumulate without institutional memory of why they exist?
- Does authority match risk level? Or can a help-desk ticket create enterprise-wide exposure?
