US secretary of defense Pete Hegseth made the second mistake of posting classified information without obtaining verification that the journalist was authorised and had a need to know the classified information.
Everyone else in the chat, including Cabinet-level officials such as vice-president JD Vance, made the third and continued mistake of doing nothing until after the initial story broke.
The US and its allies may just be lucky that their adversaries were not able to compromise the US military plans that week, but what was compromised was the trust American allies have with their national security counterparts.
This isn’t some random political embarrassment. It’s a case study in how security collapses when leadership treats basic rules as optional. If national security leaders won’t model discipline, how can anyone else in the system be expected to?
Processes and tools are not enough
As a Certified Information Systems Security Professional (CISSP) and COO supporting information security for multiple businesses, I’ve seen firsthand that encryption and published policies aren’t enough.
Security starts with leadership, not technology. When rules become optional for those in charge, the system is already compromised
The Waltz-Hegseth leak, which is an affront to the entire security profession, didn't happen because of poor technology. Signal is excellent when it is used properly. Secure communications platforms, like Sensitive Compartmented Information Facilities (SCIFs), already exist inside the government.
So, how did this scandal happen? Secure practices rely on culture. And culture is set at the top. Waltz, Hegseth and others prioritised convenience over responsibility. They believed the rules were there for other people.
The same risks exist in the private sector. In finance, healthcare, and defense industries, one executive ignoring protocol can compromise an entire organisation, especially if others believe protocol is optional.
Never share classified information outside vetted networks, and ensure only those with a need to know are able to see such information.
Escalate violations and apply breach consequences equally with no exceptions for title or rank.
Work with and support leadership to implement security best practices across all operations, not only obvious revenue drivers.
Train leaders and contributors alike to prioritise cyber security and refresh learnings continuously, not treat it as compliance paperwork.
Failures at the top don’t stay isolated. They erode standards across institutions and signal to adversaries that they can pursue organisations lacking the maturity required to deal with sensitive information. We’re entering a new paradigm where the threats will become fully automated and, using artificial intelligence (AI), able to leverage social engineering attacks at a massive scale with little effort.
Security starts with leadership, not technology. When rules become optional for those in charge, the system is already compromised.
Apple has appealed to the Investigatory Powers Tribunal over an order by home secretary Yvette Cooper to give the UK access to customers’ data protected by Advanced Data Protection encryption. What happens next?
