30 Years in Cybersecurity: From PSTN to Zero Trust Architectures

It’s a late morning, here at my desk — third coffee kicking in — and I thought this would be a good chance to write down a few thoughts from 30 years in cybersecurity. Yeah, this makes me sound old — maybe I am — but hear me out. I began as a network admin in 1993, when PSTN reigned supreme and voice and data multiplexing across that copper wire was about as high-tech as we got. I saw the chaos up close when the Slammer worm hit in 2003. It took down entire networks overnight. Felt like being pounded by a category 5 hurricane but of data.

Today, I’m the director of my own security consultancy — P J Networks Pvt Ltd — as well as an assistant director and co-founder at Bo_Eh_Lin based on Nay Pyi Taw in Myanmar; and earlier this year, I assisted three banks with re-implementing their zero-trust architecture. And besides I just returned from DefCon and am riding a hardware hacking village buzz. But let’s step back a bit — if you bear with me, I’ll do my best to weave these real-world stories together for some useful takeaways.

From PSTN to Zero Trust : Oh The Times, They Are a Changing – I’ve witnessed the Journey

At the start, the major concerns were physical — whether it was cabling errors, mux failures, or plain simple hardware glitches. Network security was firewalls that yanked unauthorized packets out, but it was a much simpler world back then. Slammer changed that overnight. Suddenly we now had ultrafast indiscriminate worms that were preying on parasitic exploits no one had thought particularly important. And it taught me a powerful lesson: if you don’t play aggressive, you’re already dead.

Fast forward to present time, most businesses are still nipping around the edges thinking perimeter firewalls are going to bail them out. Spoiler alert: That is the equivalent of putting a lock on the front door but leaving the back window wide open. Zero-trust architectures are the future — and frankly, what should have been the present many years ago.

The Bankings Zero-Trust Evolution: A Use Case

I’ve recently been hired by three banks — all old-fashioned, heavily regulated banks — to enhance their cybersecurity. Here’s the quick rundown:

  • Located all sensitive assets (think customer records, payment systems, internal communications).
  • Mapped trust boundaries — this is where a ton of companies get this wrong. “You can’t just slap a firewall and be done with it.
  • Aggressive microsegmentation (where no system or user should be implicitly trusted).
  • Rolled out rigorous multi-factor authentications (MFA) practices.
  • AI-enhanced monitoring (well, kind of—I’m skeptical of anything claiming to be “AI powered” but it does provide some value).

What did surprise me — frankly — was the number of legacy systems for which weak password policies were still sufficient. And I’m not talking even good password practices, or password practices that a script kiddie could guess. I ranted one of the workshops about how it is insane we are still enforcing passwords changing every 30 days. Here’s the thing: With forced frequent changes, predictable patterns and lousy security quickly emerge. Better to turn on MFA and employ long, unique passphrases. But that’s a rant for another time.

Learnings from DefCon—Hardware Hacking and Why This is Relevant for Your Business

Last year’s DefCon was absolutely crazy this year’s was insane, and what happened in the hardware hacking village took the cake. People were hacking into routers, embedded systems, and internet of things devices — illustrating how many weaknesses remain lurking in the shadows. You remember when a router was, simply enough, a thing that directed traffic from one network to another? Now it’s more or less a mini-computer, subject to much less security scrutiny.

Why should you care? Because I’ve found that attackers are leveraging these entry points to get around traditional network defenses. What’s vulnerable is not just the software that you patch, but the hardware and firmware as well. That’s why the advice I give to businesses (and particularly to banks) is:

  • Don’t ignore hardware security. And regular firmware updates, secure boot mechanisms, and physical access controls are not optional.
  • Test your hardware as you would any new software. Penetration tests are no longer just for web apps.

A Quick Take for Busy Executives

  • Password policies that require changes regularly? They’re outdated and often counterproductive.
  • Zero-trust isn’t just jargon; it is a necessity. Quit using your firewall as a magic umbrella.
  • Hardware counts — yes, even that dusty router in the server room.
  • AI-powered solutions? Tread judiciously, don’t simply believe the marketing hype.
  • Real-time monitoring and segmentation rescue networks during an attack.

Lessons from the Trenches

I’ve certainly made types of mistakes — once I trusted a vendor’s security posture, didn’t dig in to their practices, and then felt the pain of it when the years-old remote compromise attacked home. But each incident snarpened my tact:

  • Don’t assume anything is by default.
  • Assume breach mentality —prepare as if you are already breached.
  • Educate your teams — not just IT but across the business. The majority of breaches begin with phishing and human error.

Personal Quirks: The Reason Italicizes Too Much And Complains About Passwords

You may have noticed I’m a little prone to overuse of italics when trying to drive a point home — sort of my sneaky way to emphasize the right things without coming across as preachy. Oh, and then there are the password policies, which are just a little bit nuts — personally, I’ve always thought companies need to stop treating passwords like secret handshakes that are complex enough to open a safe. Instead, work on usability and robust multi-factor authentication. End of rant.

And analogies? Here’s one: Cybersecurity is like taking care of a classic car. You may get to polish the paint, upgrade the stereo, slap on the fancy rims — but if the engine isn’t sound and you don’t check under the hood every so often, you’re gonna end up on the side of the road. This is true for cybersecurity, too — sexy buzzwords aren’t going to fix outdated infrastructure or lazy habits.

So, What Does This All Mean for Your Business?

If you are in business and reading this, here is my no-nonsense advice:

  • Evaluate your network architecture. Do you trust what’s inside your perimeter? If yes, time to rethink.
  • Segment, monitor, and authenticate. Do not grant your users or devices more access than is absolutely required.
  • Patch and update everything — even your hardware firmware. Do not treat your devices as you would an appliance.
  • Train your staff. People are your weakest link but also your first line of defense.
  • Be skeptical. That shiny AI-powered solution? Ask how it works — not what it purports.

Closing Thoughts

It’s been a leap — from watching those fuzzy multiplexers to administering modern zero-trust frameworks for some of the largest banks. I’m optimistic but cautious. And cybersecurity is not just a checklist or a product you buy; it is a continuous discipline, a mindset.

And although I’m still high on the most recent round of conferences and hacking villages, I understand why many companies feel underwater. The secret is not to get caught up in every new trend but in creating a strong foundation through what actually works and is proven.

So pour yourself a cup of coffee (or third shot of espresso, if you’re like me), and ask yourself: how much do I truly know what’s happening inside my network?

Keep in mind: Security is never perfect, but it has to be proactive. Because once you’re breached? A second cup is too late.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.