Cybersecurity: 30 Years on the Frontlines and What It Taught Me

I’ve been in this industry a long time — long enough to remember when firewalls were an afterthought and people considered a strong password their dog’s name followed by 123. Fast forward to today, and I spend my days helping businesses (mostly banks lately) reimagine their security posture in this new world of zero-trust, nation-state threats, and — ugh — AI-powered everything.

I just returned from DefCon, and I’m still riding high off of the Hardware Hacking Village, where I witnessed people tearing into IoT devices with the terse power of walnut crackers. And believe me, if watching someone hack a smart door lock using a $10 tool won’t change your mind about physical security, nothing will.

But what I want to discuss today is something a little closer to home — Not just real-life experiences from my decades in cybersecurity and what has changed, but equally what hasn’t, and the need for organisations to reconsider their defences if they don’t want to be the next headline.

Quick Take — If You Read Only One Thing, Read This

  • Zero-trust has become essential. They acknowledge that if you’re still just using perimeter security, you are already compromised.
  • Patch. Your. Systems. Now. Patched vulnerabilities? No security framework will help you if attackers can waltz through those.
  • AI in cybersecurity? Be skeptical. Machine learning does have its uses, but it’s not some magic bullet (and honestly, half the products calling themselves AI-powered are just fancy scripts).
  • Phishing remains the #1 attack vector. Having a million-dollar firewall won’t help one bit if your employee gets hooked by a well-engineered phishing email.

Alright, let’s dig in.

Looking Back: The Good, the Bad and the Ugly

I got my start in networking — back in the early ’90s, when multiplexing voice and data over PSTN was state of the art and firewalls were more of a curiosity than a requirement. Security back then? It was more or less don’t be dumb with passwords and don’t let every freaking system basically telephone the internet.

Then Slammer happened.

The SQL Slammer worm back in 2003 was a wake-up call. It spread quickly through systems, spreading via a Microsoft SQL vulnerability that too many admins (myself included) didn’t patch in time. The entire thing was under 400 bytes, and it caused millions in damages. That’s when it hit me: you can level an enterprise without a big, flashy attack—all it takes is one hole left open.

Fast forward to today and things have grown a little different. Sort of.

The: The Biggest Lies in Security (and Why Businesses Keep Believing Them)

It’s the myths that keep getting people (and companies) hacked.

  1. “We have a firewall, so we’re secure.”

Ah, the old we bought a box, so nothing can touch us mentality. Firewalls are vital, but they’re not a panacea. If attackers infiltrate even one endpoint behind your network those firewalls mean nothing. It’s like locking your front door but leaving the windows open.

  1. We do phishing training for employees once a year, so we’re golden.

Nope. Phishing is getting better. Attackers are also using AI-generated emails, social engineering tactics (when criminals manipulate individuals to give them sensitive information), and even deepfake calls now. We can’t get away with a slide deck once a year.

  1. We will be protected with AI based security.

Oh boy. Where do I start? Sure, AI can work with anomaly detection, but it also makes a lot of mistakes — just ask any SOC analyst looking for their teeth in the flood of alerts. Of course, attackers are using AI as well. If you believe AI makes you untouchable, you are operating in an inverse game.

Why Businesses Should Now Secure Their Networks in 2024

I have been working for the last few months with three banks to transform their entire security model. Here’s what actually works:

  1. Zero-trust is not a buzzword — it’s a survival strategy.

Forget perimeter security. Consider every connection dubious until proven otherwise. That means:

  • Strong credentials (MFA is good—hardware tokens are better).
  • Micro segmentation (one device shouldn’t give the hacker access to the whole network).
  • Least privileged access (employees only have access to what they must have).
  1. Patch. Everything.

I am amazed how many companies still get breached due to vulnerabilities with available patches. Anywhere you can automate updates do so. If you can’t patch immediately, at least:

  • Isolate vulnerable systems.
  • Watch for exploitation attempts.
  • Understand what is making patching slow—optimize the process.
  1. And the weakest link is still the human factor.

Phishing is not going away and no firewall can keep an employee from being fooled by a well-designed email. What helps?

  • Phishing simulations done regularly.
  • Encouraging skepticism. Reward your as-among-at-loose employees who report near whom moments.
  • Making security usable. If security is too difficult, employees will find ways around it.
  1. Your supply chain is also a risk vector.

SolarWinds. Okta. Kaseya. If they can break into your vendors, then they can break into you. Vet your third-party providers:

  • Make them follow security best practices for real
  • Keep an eye on their entry to your systems.
  • Be prepared for third-party compromises — plan for it.

Why I’m Doubtful of AI-driven Security Tools

AI for cybersecurity can be… complicated. Holy fuck, everyone is slapping AI-powered on everything and treating it as if it’s a performance booster. Reality check:

  • All AI models have weaknesses. You still have to have human analysts.
  • Phishing and deepfake, among other uses, new to attackers, to bypass EDRs.
  • AI security tools require absurd amounts of tuning to avoid flooding the SOC with false positives.

Not that AI is useless — just don’t think of it as some cybersecurity silver bullet.

What I’d Tell My Younger Self About Cybersecurity: Final Thoughts

If I could time-travel back to 1993 and give myself a piece of advice, it would be this:

  1. Expect everything to go wrong—build for resiliency. Encrypt data. Segment networks. Have backups.
  2. Delaying the patching will come back to bite you fix that to your process early.
  3. Security products are not magic — processes and people count more.
  4. Never underestimate the capacity for human stupidity (or ingenuity, for that matter).

And honestly? I’d also tell myself to buy Bitcoin in 2010, but that’s another story.

Security isn’t only about technology — it’s about behaviors, mindset and preparing for failure. If you’re doing it right, you’re making life difficult for attackers. And that’s the game. Keep them frustrated. Keep adapting. And never, ever take the security of your network for granted.

Now excuse me while I get another coffee.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.