Lessons From Three Decades in Cybersecurity
I’m at my desk at the moment on my third coffee, pondering what seems like a lifetime of toil in the trenches of cybersecurity. I began, many years ago, back in 1993, as a network admin—betcha didn’t know there were people doing that job then, didja? Yes, yes there were, and in the case of that job, yeah, you actually were physically managing multiplexers for voice and data across PSTN lines. No fancy cloud, no AI hype — just wires, switches, and nerves of steel. And if you believe the threats today are enough to worry everyone, I will introduce you to the Slammer worm, a beast that hit my network directly.
These days I run my own security company, P J Networks, and have just finished some very high-profile projects for three banks upgrading their zero-trust architectures. I’m fresh home from DefCon and still thinking about the hardware hacking village—watching people take a device down to its guts is always primitive and thrilling.
But enough about me. So let’s discuss some lessons I’ve learned — ones that hopefully have some use for you, whether you’re running a single office or a massive enterprise.
When the Beginnings Matter
In the 90s, networks were simple, but not very robust. The Slammer worm? It invaded every corner of the planet in minutes because the firewall rules of the day were pretty primitive and patch management was wishy-washy. What I recall were frantic efforts to quarantine servers, patch systems manually, and cross my fingers that the phone lines would not become jammed.
The times were a lesson for me: Security is never a set-and-forget proposition. It’s alive and kicking, changing all the time. And everything connected to your network — your policies, your training — needs to keep up, too.
Zero-Trust More Than a Buzzword
Recently, I guided three banks in adopting and upgrading their zero-trust strategies. Now: Here’s the unvarnished truth that they all had to deal with up front: getting people used to zero-trust as a term means getting past the inflection that zero-trust seems to imply you means don’t trust anyone — ever. But that’s not the point.
Zero-trust is the idea that you verify every device, every user, every connection, all the time. Yes, it is finicky, and yes, it is some up-front effort — but:
- No longer implicit trust due to where your network is located.
- Micro-segmentation cuts down blast radius significantly.
- Real-time authentication and monitoring detect anomalies early.
Here’s a pet peeve of mine: most companies do zero-trust half-assed because it messes up their old ways of doing business. But neglecting zero-trust is akin to driving a sports car on bald tires — sure, you could make it down the road, but give it a little skid and you’re toast.
Firewalls Servers And Routers – Still The Backbone
And for all of you hearing all the hype about cloud-based and AI security solutions (side eye), firewalls, servers, and routers are the backbone of a good security strategy. I don’t use big empty buzzwords when I’m working with clients just to sound impressive. I focus on what works:
- Properly configured firewalls that understand east-west, and not just north-south.
- Hardened servers with small attack surface area.
- Routers that direct traffic rationally.
Do remember, your firewall is kind of the gate keeper to your fortress. If it’s not properly set up, it’s as if the main gate is hanging wide open, and we just hope that intruders will at least have the decency to knock.
DefCon and The Hardware Hacking Village So What
I just returned from DefCon and I’m still processing everything I experienced — especially down at the hardware hacking village. There’s a sort of magic in watching an experienced hacker bypassing physical security, tampering with firmware, and blowing open devices that most people don’t even realize are attack surfaces.
Lesson? Security is not just code or cloud infrastructure. It’s also about the tangible stuff: those routers that are sitting in dust-covered closets in server rooms, the IoT gear collecting dust in your conference rooms, the biometric scanners that ostensibly lock down your office. If you can actually touch it, you can hack it.
Passwords My Ongoing Rant
The thing I always say about password policies is that they don’t help jack, plain complexity rules don’t. Seriously — long and user-friendly passwords, passphrases and two-factor authentication like, now. Stop asking for wacko symbols and upper-case spam that people write on sticky notes they stick to monitors.
I understand, NIST and all, have your recommendations, but I still see companies treating employees to archaic, unnecessary restrictions like it’s 1999. And it never ends well.
Quick Take What You Should Do Today
If you don’t want to read the entire thing (and hey, I understand, busy folk!), here’s your speedy cheat sheet:
- Really adopt zero-trust, and take it all the way — not just halfway.
- Toughen your perimeter defences Firewalls, routers, and servers are your first level of defence.
- Hardware vulnerabilities can not be overlooked, physical access is risk.
- Rethink your password procedures emphasise length and 2FA over complexity.
- Patch always — not just once between worm attacks.
Wrapping It Up Lessons From the Long Harrowing Haul
After close to 30 years doing this, I’ve learned cybersecurity is as much an exercise in people and process as it is in technology. Sure, tools. But without a culture that truly respects security, it’s just so much wheel-spinning.
SEGMENT LIKE IT’S 2030 AI is the new blockchain, and if your customer profile screams AI-Powered as your most important feature — you might want to take a hard look. There are ways AI can complement your defense, but it can’t yet replace good old, baseline security practices and strong architecture.
I’m still screwing up — a lot of it, believe me. But each stumble is a chance to improve. And that’s the great thing about this medium: keeping readers on their toes, occasionally with a well-placed container of coffee and a gleam in your eye.
Other than that, stay safe out there and actually listen to your security people when they tell you to patch now.
