Skip to main content

6 things I’ve learned in Cyber Security in the last 5 years

Join our Principal Security Consultant, Alex Lewis, as he reflects on his career in Cyber Security.

cyber blog 6
Alex Lewis

Alexander Lewis

Cyber Assessment Services Technical Practice Lead

To celebrate the release of our new LinkedIn Showcase page, I thought I’d take a personal view over what I’ve seen change within Cyber Security in the last 5 years, and how that’s applied in my own career. If you’re reading this, you likely don’t need me to tell you 5 years is an absolute age of progression within cyber security, but I really do believe these lessons have stood the test of time. Anyhow, enough introduction, let’s get right into it:


1.      The Fearmongering Narrative Doesn’t Work.

This for me, is one of the most crucial tenants I now teach when training new networking and security executives. Whilst the fear and inevitability of a cyber attack seems to your run of the mill security provider to be the path of least resistance, it is, in my opinion lazy marketing at best. Serious organisations don’t respond well to the inducement of FUD (fear, uncertainty and doubt), and to be taken seriously as a cyber security professional you need to look beyond it. Taking a pragmatic, risk lead approach that accounts for and embraces the concept of appropriate risk acceptance, will be inordinately more useful than one pagers of teenagers in hoodies sat by a laptop.

2.      Authentication Gets the Airtime, But Identity is the Real Star.

The importance authentication plays to security shouldn’t be a secret, but I’ve sadly seen many a security breach occur that could’ve been wholly prevented by simply enforcing multi factor authentication (MFA). The press coverage this solution gets is huge, and rightly so, but what isn’t covered enough is the power behind identity access management (IAM). Whilst strong authentication serves to prevent malicious logins, IAM enables organisations to easily enforce some seriously mature security principles, such as least privilege, access based on need to know, and conditional risk-based access. Whilst it is by no means as simple as rolling out MFA, for me, it returns a much greater reward.

3.      Don’t Think ‘What if’ But ‘When’

Whilst this one might feel at odds with number one, hear me out. The organisations we see most often succeed in mitigating a cyber incident, are not those who spend the most on security, or even those who employ the largest number of dedicated cyber staff, but those who are most prepared. Treat a cyber incident like a fire, or a first aid incident, and run drills, know what you need in your ‘first aid kit’ for cyber, and do this repeatedly. Within the first 60 minutes of an incident it becomes plain as day whether you have a well-rehearsed and reliable incident response process or whether you have a dust covered document that’s never been tested, or whether you’ve got no plan at all. The greatest part of this, is it is seriously cheap to do, so just like business continuity tests, these should be worked into a regular programme of drills.

4.      The Senior Security Manager Role is Changing

The role of a security manager (Security Director, CISO, etc.) is becoming a hybrid of what it previously used to be. Whilst the management of people, process and technology is very much still part of the job description, so too are newer concepts, such as service providers/SLA’s, and supply chain management. Taking my previous point into account, one of my favourite curveballs to throw at a reasonably well prepared incident response team is to workshop a supply chain compromise, and see how well the plan still applies, when the breach is indirect. Ensuring breach notification is within contractual obligations for any service or supplier, is just one example of the change in pace here.

5.      There’s No Substitute to Good Old Fashioned Housekeeping

This area of security often gets branded as boring or monotonous, but still returns the biggest peace of mind for security serious businesses. The ‘good housekeeping’ of cyber is all about answering the basic questions every organisation should know:

  • What hardware is running in the organisation?
  • What software is running in the organisation?
  • Is that software/hardware up to date?
  • What vulnerabilities exist within the organisation?
  • What permissions do users have?
  • How secure is the default configuration of all hardware/software?

Whilst it’s all too easy for me to sit here a write these questions, it takes a balance of people, process, technology and services to really get this right. But as I mentioned in my second point, whilst MFA is one of the more common things that could’ve prevented a security incident, so too are good practices of the above. It’s a lot harder to compromise organisations that have their assets locked down, with no privileges more than those explicitly required, and that are securely configured and kept up to date.

6.      You’re Doing Great; Keep Going.

I’ve left this point to last as I wanted to highlight it as being one of the most important. There will always be another threat actor, attack vector or vulnerability being exploited in the wild, and its easy to feel like you’re losing the battle. What has been the greatest learning in the past five years for me, and is directly supporting the first point in the article, is the following three statements:

  1. Organisations are aware of cyber, they understand the impact of an incident, and are actively addressing it.
  2. By and large, customers are doing what they can with the resources and support currently available to them.
  3. There is more positive support within cyber defenders than ever before.

I don’t know about you, but its those three points that make me proud to be in the role, organisation, and industry I’m in. If any of my learnings has resonated with you, feel free to check out more content on our LinkedIn page.