I’ve dedicated my career to a single mission: building the world’s best cyber defense solutions for organizations. And it’s been a lot of fun. Starting back in the late nineties, I’ve been in the trenches of cybersecurity, tackling everything from DDoS attacks and network intrusions to application exploits, identity theft, fraud, and social engineering. I’ve worked as a penetration tester, security architect, CISO, vendor, and almost everything in between across many industries like banking, gaming and critical infrastructure. My journey has been about constructing defences that are not just effective but built on solid, pragmatic principles. Making a real difference is what matters most to me.
That’s why at Devicie, we’ve made it our mission to help organizations protect themselves efficiently and effectively. We focus on building defenses that are appropriate, grounded in proven principles, and tailored to each organization’s unique context to ensure our customers can be as productive as possible.
One thing I’ve learned over the years is that there’s no magic bullet in cybersecurity. There’s no single solution that will make your organization – or our customers - impervious to attacks. Instead, it’s about adopting a comprehensive approach that leverages a multitude of mechanisms, tools, and frameworks. However, over and over in my career, I have seen the baby thrown out with the bathwater as sound principles become “old-fashioned” and considered redundant because of some new “next generation” capability. This often leads customers to overinvest in a new strategy and ignore fundamentals that are crucial for a comprehensive cybersecurity defensive strategy.
So, for most organizations I deal with, it’s all about making cybersecurity, well, boring again.
Too often, I see organizations chasing the latest shiny object—a new software, a cutting-edge tool, or a fancy service that promises to solve all their challenges. Vendors come in with grand promises and slick marketing, and it’s easy to get swept up in the hype. But relying on a single solution is a risky gamble. Security isn’t about that one smart thing: it’s about many things working together cohesively.
This brings me to the current technology everyone’s talking about. So called “Artificial Intelligence”. Just like previous trends—the internet boom, social media explosions—AI is being touted as the next big thing that’s going to change everything. Every cyber company now claims to have AI capabilities to stay relevant. But let’s cut through the noise.
When new technologies emerge, there’s usually a lot of chatter. Some of it comes from people who know what they’re talking about, and a lot comes from those who don’t. Navigating this landscape is tricky for organizations trying to make informed decisions.
There’s an overweighting of the potential of AI to defend organizations against cyber-attacks. AI isn’t a silver bullet. Rather than looking at AI as a magic solution, we should see it as a tool to help us achieve what we already know is necessary and often difficult to accomplish.
The real opportunity with AI is in helping us deal with our biases and automating tasks that are cumbersome or prone to human error. But we need to be cautious. There’s a common bias, especially among the public, that the new thing is always better. However, in my experience, the opposite is almost always true. Things improve over time through continuous testing and refinement. The more something is used and proven, the more reliable and valuable it becomes.
In the context of cybersecurity defense, disregarding tried-and-true methods in favor of the latest fad can get you into trouble. Understanding our biases, even after decades in the field, helps cybersecurity practitioners build comprehensive defenses. We need to recognize our limitations and rely on established frameworks and mechanisms to guide us.
One of the most crucial aspects of cybersecurity is prioritization. We must focus on what matters most to our organizations, partnerships, regulators and customers, and that means using risk-based principles. Yet, I find that many organisations either poorly maintain their risk registers or don’t have one at all. Without a proper risk assessment, how can we prioritise our efforts effectively?
Frameworks like the CIS Top 18 Controls and Australia’s Essential Eight provide a solid foundation. They’re not bureaucratic checklists; they’re collections of best practices informed by a community of professionals, security researchers, and organizations. By adhering to these frameworks, we address gaps in our knowledge, remove marketing fluff from the equation, and focus on what truly reduces risk in the most economical and time-efficient way.
In my career, I’ve often heard peers criticize compliance. They argue that it’s resource heavy to implement, merely a box-ticking exercise, or too rigid to keep up with evolving threats. I couldn’t disagree more, and increasingly I’m becoming a voice of contention against these claims because such criticisms are not helping anyone but software vendors. Compliance means adhering to a standard and measuring yourself against it. It provides a common language, a way to communicate effectively with stakeholders, partners, and customers.
Standards like ISO 27001 and PCI DSS aren’t about stifling innovation; they’re about ensuring that we’ve covered all bases. They help us identify areas we might overlook, like disaster recovery and backup strategies, which are critical components of a comprehensive defense. By using these standards, we avoid reinventing the wheel and ensure we’re not susceptible to our own biases or gaps in knowledge.
Moreover, compliance frameworks often include mechanisms like the Statement of Applicability in ISO 27001 or Card Data Environment scoping in the PCI DSS, allowing businesses to tailor the standards to their specific needs. This flexibility ensures that compliance is relevant and adds value, rather than being a mere box-ticking exercise.
At Devicie, we’ve embraced the concept of hyper-automation. We’re automating tasks that are typically manual, error-prone, or overlooked. This isn’t about replacing people; it’s about enhancing efficiency and effectiveness of our people in tackling these challenges.
For example:
• Local Admin Management: Automating the control of administrative privileges across all devices, reducing the risk of insider threats or accidental misuse. It’s also a powerful tool to stifle the impact of Ransomware and CryptoLockers.
• Patching and Updates: Orchestrating patch deployment, scheduling, and rollbacks with automated change management. This ensures native security capabilities are always up to date without disrupting business operations.
• Application Management: Automating the packaging and deployment of applications, ensuring consistency and reducing exploitable vulnerabilities.
• Security Baselines: Enforcing security configurations based on standards like CIS, ensuring that devices leverage native security capabilities effectively.
By automating these facets, we’re not just ticking boxes; we’re building robust defenses that are constantly maintained and updated. It’s about doing the mundane tasks exceptionally well because that’s where security often fails.
Building defenses is like building a fence around a farm. It’s a lot of work, and it must surround the entire perimeter. If even a small part is damaged or falls, the whole mechanism becomes ineffective. An attacker only needs to find one gap to breach your defenses.
Similarly, maintaining security isn’t a one-time effort. It requires constant visibility, improvement, and attention. Think of the Sydney Harbour Bridge painters who start at one end, and by the time they’ve reached the other, it’s time to start again. It only takes a small crack for rust to set in and potentially compromise the whole structure. Security is much the same; it’s an ongoing process that demands diligence.
An often overlooked yet critical aspect of cybersecurity defenses is native security—the capabilities you’ve already paid for and that are readily available within your existing software, platforms and operating systems. This topic doesn’t get much attention, primarily because most discussions about defenses are driven by vendors promoting their own solutions. In my view, native security is where we should all start; that’s where our focus should be first. Frameworks and security benchmarks facilitate this approach by guiding us to leverage these built-in features effectively. They’re not about selecting a tool that allows us to sidestep the necessary groundwork. In fact, without addressing the foundational elements I’ve mentioned earlier, we shouldn’t move on to fancy software solutions. We need to utilize the security capabilities already embedded in the products we use. Native security means taking the time to consider these built-in features in our design and solution planning and building the capability to manage them effectively. To achieve this, automation and AI can be valuable tools to help us implement and maintain these native security measures.
One of the biggest issues I see is misdirected budgets. Too much is spent on concerns that aren’t the most pressing threats. For example, ransomware and phishing are by far the most common attack vectors targeting end-user devices—our employees, staff, students, teachers, doctors, and nurses. Yet, I see little attention and budget allocated to securing those devices properly.
Instead, there’s an overwhelming tendency to buy fancy software solutions that vendors over-promise on, without any solid data to support the risk reduction they claim to offer. This approach erodes trust between cybersecurity professionals and organizations because, at the end of the day, if our defenses aren’t effective, the proof is in the pudding.
At Devicie, we’ve built our solutions on years of experience, research, and dedication. We’re big advocates for pragmatic, risk-based principles and the comprehensive application of frameworks like CIS and the Essential Eight. Our teams consist of security-minded, deeply experienced professionals who are passionate about what they do.
We’ve also ensured that our defenses are compliant with international standards like ISO 27001, PCI DSS, and various industry-specific regulations. This isn’t just about ticking compliance boxes; it’s about leveraging collective intelligence and best practices to build defenses that work.
If existing frameworks or benchmarks aren’t meeting our needs, the solution isn’t to tear them down with criticism but to actively participate in making them better. The challenges we face as cybersecurity professionals are immense, and our resources are often limited. Let’s not dismantle the tools we have; instead, let’s strengthen them. If you identify shortcomings in these standards, consider becoming a contributor. That’s one of their greatest benefits—we can shape and enhance them through our collective experiences. Organizations like the Centre for Internet Security (CIS) welcome input from professionals in the field, allowing us to improve these frameworks so they become more effective and reliable for everyone.
The CIS Top 18 Controls are a set of prioritized cybersecurity measures ranked from 1 to 18, with 1 being the most critical and 18 the least. This prioritization is based on real-world data, exposure, feedback, and continuous improvement from the cybersecurity community, guiding us on where to focus first for the greatest impact. Interestingly, when I discuss this with clients, their intuition often doesn’t align with these priorities. The first two controls emphasize inventory and control of assets—both enterprise assets like cloud environments and devices, and secondly software assets used within the organization. Knowing what belongs to your organization and having visibility into these assets is paramount. Without this knowledge, it’s impossible to effectively defend your assets, protect critical software, or make informed decisions about what should or shouldn’t have access to your environment.
Conversely, many clients initially request services like penetration testing, believing it to be the most critical step in securing their systems. However, penetration testing ranks as control number 18—the least critical—in the CIS Top 18 Controls. This is because, from a cybersecurity professional’s or attacker’s perspective, if you haven’t addressed the foundational controls, your vulnerabilities are already evident. Without knowledge of your assets and software, attackers can easily introduce malicious assets or software into your environment undetected. Penetration testing becomes truly effective only after you’ve implemented the preceding controls to the best of your ability. Yet, organizations often allocate the most significant portions of their cybersecurity budget to penetration testing, overlooking the more impactful basic measures. This misalignment is partly due to media portrayals that emphasize hackers as external adversaries, leading to a bias in spending. Research shows that focusing on foundational practices like asset inventory, data protection (which is control number three), and proper configuration of software and assets (number four) yields far more effective security outcomes.
One of the criticisms I often hear about the Essential Eight is that it’s heavily focused on end-user devices and Windows in particular, seemingly leaving out areas like cloud configuration and macOS. But the point of the Essential Eight is that it’s based on research and real-world threats that significantly impact organizations. The reality is that most cyber-attacks target Windows devices used by end-users. While there is some coverage for other assets within the Essential Eight, the emphasis is rightly on protecting end-user devices—especially Windows—because that’s where the threats are most prevalent. If fewer cyber-attacks are targeting end-users on macOS, then it makes sense to allocate resources accordingly. Again, prioritization means focusing time and money where it will have the greatest impact.
If most attacks aren’t coming through our front door—our websites hosted in cloud environments that we’ve meticulously secured—but are instead going straight to our end-users working from home, then failing to prioritize effectively is a significant oversight. This is why frameworks like the Essential Eight are so crucial. I was first introduced to what was then the Essential Four during a SANS course taught by an American specialist in digital forensics many years ago. The Essential Eight is based on the Australian Signals Directorate’s Information Security Manual (ISM), a comprehensive and invaluable resource that Australia provides to the world. It encapsulates the most important security measures we can adopt, distilled from extensive research and a vast library of cybersecurity knowledge. The Essential Eight is designed to make the job of securing our systems easier, and that’s why I’m a strong advocate for it. We provide the Essential Eight guidance to our customers—even international ones—because it’s the same internet everywhere, and we’re all exposed to the same threats.
So, why do I advocate for making security boring again? Because security shouldn’t be about the latest buzzwords or flashy solutions. It should be about doing the basics exceptionally well. It’s about consistent, methodical efforts that, while they might seem mundane, are incredibly effective.
Security should be an integral part of business operations, not an afterthought or a glamour project. Nor should it be “security theatre,” as some of my peers like to call it. By focusing on the fundamentals—risk assessment, compliance, automating the mundane, and continuous improvement—we build defenses that are robust and resilient.
In the end, cybersecurity is a continuous journey, not a destination. It’s about making informed decisions, prioritising effectively, and not getting distracted by the latest fads. It’s about standing up for the boring but essential principles like risk management and compliance.
Let’s embrace the boring. Let’s focus on what works, based on research, experience, and proven methodologies. Let’s make security an integral, unobtrusive part of our organisations, so we can concentrate on what we do best—delivering time-saving value, innovative products, and great service.