Lessons from Two Decades in Cybersecurity: Insights from Sanjay Seth

So, here I am (post-third cuppa) at my desk – ready to tell some stories and impart some lessons from my more than two decades of working in cybersecurity. For those of you who don’t know me, I started out as a network admin all the way back in 1993 managing voice and data multiplexers over PSTN lines. Picture those days — no fancy cloud, no AI-driven buzzwords — just pure, physical networking. And yes, I lived to tell about the Slammer worm assault in person — quick, brutal and frankly the nearest thing I’ve seen to a digital heart attack. But that was just the beginning of a saga that’s taken me from patching routers to running my own security company and advising some of the world’s largest banks on reimagining their zero trust infrastructure (hint: it’s not as simple as upgrading a router).

I just returned from DefCon — and the hardware hacking village has me inspired. But more on that later.

Here is the thing about cybersecurity: It is never only about technology. It’s human, process and that takes a lot of patience. And sometimes, it’s about acknowledging that you botched it the first time and getting smart quickly.

From Nostalgia Networking to Security Realism

It gave me a rare vantage point: I began as a network administrator in the early 1990s. Those PSTN lines, multiplexers and early voice-data convergence laid the foundation for teaching us how data moves — and that is still so fundamental today. Fast forward to the Slammer worm — 2003, if memory serves — and that was a wake-up call for most every IT professional. Slammer didn’t care about geographical borders or firewalls (especially since a lot of firewalls back then were little more than glorified packet filters). It sped through networks with reckless abandon, leveraging SQL Server vulnerabilities that haven’t been patched, sending complacent IT teams reeling.

I recall one customer — banks no less! — who were taken down for some hours. It was a mess. It made me take proactive security, patch management and most of all, trust boundaries much more seriously — on the web and everywhere else.

Fast forward to the present and I’ve advised three large banks in modernizing their zero trust architectures, drawing in part on what I learned in those early days: trust no one by nature and verify everything.

Zero-Trust Isn’t a Product It’s an Ideology

If your vendor is selling zero-trust as a readymade product out of the box, run. Seriously.

Zero-trust means:

  • Zero trust for users or devices implicit.
  • Continuous verification.
  • Micro-segmentation.
  • Least privilege access.

And a million little annoyances and worse in between.

This is what stood out to me when doing so with those three banks:

  • Legacy systems spurn zero-trust like the tired old engine that won’t fire up on a cold morning.
  • Users loathe this kind of continuous authentication, but that’s the deal.
  • AI enhanced security products? I remain highly skeptical. Most read like a bit of buzzword salad. For now I’ll believe my eyes, logs, and sound design principles above all other.

It had nothing to do with flipping a single switch and turning on zero-trust. It was months in the making (and much caffeine). We rewrote policy, redesigned network segments, purchased user behavior analytics and yes, worked endlessly to educate people — because tech is only part of the solution.

DefCon’s Hardware Hacking Village and the Future of Technology at DefCon

Recently returned from DefCon and still wired (not the caffeine). The h/w hacking village was particularly intriguing – so many things that we trust to be secure, aren’t.

It’s like opening a car’s hood, basically. Looks solid? Maybe. But do the wires look old, frayed or intentionally exposed? And for some of those Iot devices, it’s akin to poorly soldered wires; do a little jiggle and it’s a security nightmare.

Lesson?

  • Hardware security, in an age when billions are being invested in software defenses, cannot be overstated.
  • Embedded systems, firmware — these are typically the attack surfaces hackers have quietly exploited for years.
  • Network segmentation helps. Segment hardware and IoT from core business networks.

It got me to thinking about the clients I have who are still running routers and firewalls that are decades old, are retrofitted with layers to incrementally add security so that today they are software but essentially hardware that was developed before the modern world of the threat landscape exploded.

Password Guidelines: a Rant You Almost Certainly Need

OK, if you know me, you know I have opinions of password policies that turn some people blue.

Here’s my thought: Long passwords are better than complex ones.

  • Complexity rules? Frequently overlooked or sidestepped.
  • Length > complexity all the way. Think passphrases, not a jumble of random characters.
  • And have I mentioned those required password changes every 30 days? That’s only training people to produce predictable alternatives.

Your users are just going to put sticky notes on screens or use Password123! revamped slightly.

Better approach?

  • Enable multi-factor authentication (MFA). This is your true game changer.
  • Teach users about phishing — because no password means anything if users happily hand it to attackers.
  • Use password vaults if possible.

Fast, simple, effective.

Quick Take: What I’d Tell My Younger Self (If I Could)

  • Patch early, patch often. Always know that your perimeter is not enough.
  • The norm will be zero trust. Make peace with the pain — people will loathe parts of it — but it’s better than breaches.
  • Watch those legacy systems. They’re ticking time bombs.
  • Beware the AI hype. As a tool, not a magic wand.
  • All hardware is an attack surface. And don’t forget physical security.
  • Be a lifelong learner. No one, not even old guys like me, have all the answers.

Final Thoughts — and Some Wise Words (Along With Some Character Flaws of My Own)

If there’s one thing I’ve learned, I’ve learned that information security isn’t about the next shiny firewall, server or router you get. In the middle is strategy, discipline and humility. I’ve fucked up — a lot. I had been guilty of undervaluing worms like Slammer (hey, nobody’s perfect), and yes, sometimes I have a tendency to chase the latest tech buzzwords before returning to fundamentals.

How you would describe your security posture is akin to a wishing to keep a vintage car in running order. Sure, you can add new gadgets (a tricked-out stereo, say), but with an old engine and rusty oil, you’ll eventually stall.

So, concentrate on the basics: strong network segmentation, disciplined patch management, zero-trust principles and an eye on hardware vulnerabilities.

I find that exciting — and not only the victories that help protect client data. So when you next hear someone pitch an AI-powered, turnkey security solution you might want to sip your coffee, smile…and ask some tough questions.

Because real security, at the end of the day, is human work technology can’t substitute.

Cheers,
Sanjay Seth
P J Networks Pvt Ltd

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.