CyberTech Top Voice: Interview with James Scobey, CISO at Keeper Security

Hello, CyberTech community. Welcome to part #10 of the CyberTech Top Voice interview series with Keeper Security’s Chief Information and Security Officer (CISO) James Scobey.

The latest CyberTech Interview with Keeper Security’s James Scobey is an interactive Q&A-styled conversation. In the interview, James shared his views on the unprecedented number of risks that unsecured passwords expose enterprise IT and data assets to. Keeper Security, a zero-trust and zero-knowledge cybersecurity software provider, offers an industry-leading password management solution. Designed with end-to-end encryption and a zero-knowledge architecture, Keeper ensures that only you can access your passwords and confidential data — not even Keeper can see them. With Keeper, you can mitigate the risks of password-related breaches, improve your organization’s cybersecurity posture, and create a seamless, secure experience for your entire team.

Join us in shaping the future of cybersecurity. Learn more about how intelligent password security management platforms like Keeper Security can help you achieve your goals.

Here’s what James had to say to the CISO community.

Hi James, welcome to the CyberTechnology Top Voice Interview Series. Please tell us about your most memorable CISO moment.

James: One morning, in a past role, multiple alerts started flooding our SOC dashboard. We had apparent intrusions in three different critical applications simultaneously. The SOC team was mobilizing, incident response procedures were spinning up and my phone was buzzing with executives wanting answers.

Just as I was about to declare a major security incident, I received three separate emails – from three different red team contractors, all gleefully reporting their successful penetration into our systems. In an incredible cosmic alignment of terrible timing, all three independently contracted red teams had chosen the exact same morning to launch their assessments.

The good news?

Our detection systems worked great. The bad news? I had just witnessed an inadvertent red team denial-of-service attack on our security operations.  It was a hard way to learn the lesson of coordinating calendars.

 

If the CISO role was a novel/TV/ movie character, which one would you pick and why?

James: It would be Admiral William Adama from Battlestar Galactica – and not just because we both spend too much time dealing with cyber threats. Like Adama, CISOs protect a diverse fleet (of systems rather than spaceships), must maintain old-school security fundamentals while adapting to new threats, and spend our days balancing limited resources against seemingly infinite threats.

Of course, Adama only had to worry about one type of Cylon. CISOs have to defend against every type of threat actor, from script kiddies to nation states, all while managing an endless stream of meetings and budget discussions. Plus, our cylons keep releasing their source code on GitHub. So say we all… right after we finish reviewing these vulnerability scan reports.

Password security continues to be a weak link in the cyber security framework. How does Keeper Security ensure organizations stay protected from password-related risks?

James: Keeper Security addresses the persistent challenge of password vulnerabilities by offering an advanced, encrypted vault designed for the rigorous demands of enterprise security. The Keeper platform enables seamless management and generation of robust, unique passwords and passkeys, fortified by proactive dark web monitoring and comprehensive policy enforcement. Keeper’s solution integrates seamlessly with existing IT systems, providing organizations with both control and visibility over credentials, effectively closing a major gap in their cybersecurity framework and delivering peace of mind through unparalleled password protection.

Passwords and humans – these are the weakest links in cybersecurity. What measures can organizations take to strengthen their defenses against cyber threats that target passwords and human behavior associated with password creation/logging?

James: Recognizing that human factors remain a crucial vulnerability, Keeper provides sophisticated tools that streamline and fortify password management. Our platform automates secure password and passkey creation and storage, minimizing reliance on memory or other insecure practices. With features like comprehensive password health assessments, secure record sharing and user behavior insights, Keeper empowers organizations to establish a culture of security-conscious behavior. By integrating Keeper’s platform, companies can ensure that sensitive credentials and data are shared securely, turning password management into a fortified line of defense against evolving cyber threats.

What kind of risks do unsecured passwords used in enterprise IT and data assets pose to organizations and individuals?

James: Unsecured passwords present significant risks, including unauthorized access, data breaches and severe compliance repercussions. Keeper mitigates these vulnerabilities through a centralized, encrypted approach to password management that not only strengthens individual passwords but also reinforces the overall security infrastructure. Keeper’s solution offers real-time visibility into password practices and enables IT teams to enforce stringent security protocols, ensuring that each password is as secure as the data it protects. With Keeper, organizations can safeguard critical assets and maintain the integrity of their IT environments.

According to reports, CISOs face unprecedented challenges against password attacks. Can AI assist in overcoming these challenges? 

James: Today, in the cyber arena, AI is an accelerator rather than an avenue for new capabilities. It’s very good at doing the things human attackers do, just faster and at a larger scale. Keeper has long integrated machine learning techniques to protect passwords through breach notification, dark web scanning, preventing unusual/impossible access and a number of other vectors. 

We’re continuing to improve and update these capabilities and introduce new protections integrating AI into our offering.  This is absolutely an arms race, as bad actors integrate AI into their toolkits to be faster and better, organizations have to respond with tools like Keeper that integrate AI capabilities to defend against those avenues of attack.

In the last two years, how has the cybersecurity industry evolved in terms of password protection? Do you see passwordless as the future, or what should we expect?

James: The past two years have marked a shift in password security, with the industry finally moving from “talking about” to “implementing” passwordless authentication at scale. The widespread adoption of passkeys – which utilize ECDSA with P-256 curves or RSA public-key cryptography – represents the most significant evolution. These aren’t just another password alternative; they’re a cryptographically sound solution that generates unique key pairs per service, making them resistant to phishing and breach attempts while simultaneously improving the user experience.  Keeper has supported passkey rollout from the very beginning and is absolutely the best way for enterprises to move from passwords to passkeys in a secure fashion.

While passwords won’t disappear overnight, passwordless authentication through passkeys is undoubtedly the future, and we’re already seeing this transition accelerate. The key driver isn’t just better security (though having private with origin binding and unique per-authentication signatures is a massive improvement) – it’s that users are getting a better experience that’s actually more secure. When tech giants, financial institutions, and major enterprises are all pushing in the same direction with a solution that’s both more secure and more user-friendly, the writing is on the wall for traditional passwords. The question isn’t if passwordless will become dominant, but how quickly organizations can implement and transition to these more robust authentication methods.

Our most popular question: CIO versus CISO –who owns the overall control of the enterprise security and information management systems? How do you define the two titles at Keeper Security?

James: Cybersecurity absolutely has to be integrated into service delivery as part of the overall IT strategy.  When it’s not integrated, enterprises are less secure and security risks becoming a ‘self-licking ice cream cone’ – a cost center that isn’t delivering business value. The CIO has to own overall IT delivery/strategy and the CISO has to be responsible for cybersecurity strategy as part of that cohesive whole. So the CISO has to be subordinate to the CIO in that arena.

However, there are times CIOs have misaligned incentives when it comes to security.  It’s critical that enterprises have a strategy for ensuring the CISO messaging and strategy isn’t getting crowded out or de-emphasized to meet CIO goals.  There are a few different ways to accomplish this; my usual recommendation is to make sure the CISO has direct, regular communications and status updates with the CEO, Board, Chief Risk Officer and other senior business leaders.  And the ousting of a CISO by a CIO should always, always have high levels of scrutiny from leadership outside the CIO organization.

Since Keeper is a cybersecurity company, we are absolutely obsessive about both our corporate cybersecurity and our product cybersecurity.  Accordingly, we don’t have a CIO.  The IT, Security, and DevSecOps teams report up to me as the CISO and I work very closely with our CTO and co-founder, Craig Lurey, who leads product development and engineering.

What are your predictions for the cybersecurity market in 2025? Can you crystal gaze into the future of cybersecurity for our audience?

James: Non-Person Entity (NPE) compromise will rise: As human identity protection improves through MFA and encryption, attackers will increasingly target non-human identities, particularly AI/LLM-powered bots and automated systems. The static nature of NPE authentication (like certificates) compared to dynamic human MFA makes these entities more vulnerable, creating a significant new attack vector as organizations increase their use of automation and AI systems. Implementation of a next generation Privileged Access Management (PAM) solution that can protect NPEs and CI/CD pipelines is going to be critical for enterprises.

AI-powered social engineering will intensify. Deepfake attacks will become more sophisticated and prevalent, with attackers using AI to create highly convincing video and voice impersonations of senior leaders. These will be used in targeted phishing attempts to convince employees to grant access to protected resources. While AI will also enhance defense capabilities through pattern analysis and anomaly detection, organizations will have to strengthen and reinforce their authorization workflows to protect against these vectors.

Tag a leader in the cybersecurity industry or an influencer you would like to invite to a CyberTech Top Voice interview roundtable discussion:

James: Bob Lord, Senior Technical Advisor at CISA

https://www.linkedin.com/in/lordbob/

Thank you so much James for participating in our CyberTech Top Voice Interview series. We look forward to having you and Keeper Security leaders again!

Recommended CyberTech Interview: Fintech’s Digital Fortress Under Attack: Cybersecurity Challenges in 2025

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com