Why I’m Writing This
For the past few months, I’ve been writing more formal internal analysis pieces – breaking down incidents I see in threat intel feeds, public breach notifications, security news that crosses my desk. Nothing fancy, just trying to make sense of what I’m seeing and share it with my management team, my immediate team, and IT peers. Maybe a few others who want to read along.
It started simple enough. I’d see an incident, write up what it meant for my company or our sector, what patterns I was recognizing. I’m technical – I speak technical – but I’m not exactly what you’d call a polished writer. About two years ago, I started using AI as a universal translator of sorts. I’d write something, then ask it to help me convert the technical bits for non-technical business people. Game changer.
But here’s the thing – I spend more time checking AI output than most people realize. I read, re-read, make sure my actual message is still there. Too many people just hit send on whatever the AI spits out. Me? I’m making sure it’s saying what I want, how I want it said. AI helps me get what’s in my brain into better words, but the thinking – that’s still mine. Most of my emails get a once-over now for flow, clarity – did I actually answer the question I was asked, or did I just dump technical details and assume people would connect the dots? The analysis pieces got deeper. Started connecting more dots between incidents.
About a year and a half ago, one of my staff pulled me aside and said I should be teaching this stuff – even suggested a platform for it. This wasn’t the first time I’d heard this – a few years earlier, another colleague had urged me to start teaching. A theme was developing. This latest suggestion came after he’d gone through Northwestern’s cyber bootcamp, so him asking me to teach wasn’t just enthusiasm – he’d seen the difference between academic frameworks and the real-world implementation of practical infosec I’d developed over the years.
Me? A teacher? Recording various topics and having people pay me to learn real world practical implemented security? I wasn’t so sure. I’ve thought about it – hell, I’ve tried TikTok, tried YouTube for various side projects or for fun. I’ve learned that’s just not my medium right now. I know I’d overthink every word, re-record the same three-minute snippet ten times. But that conversation was the seed that ultimately sprouted into this.
But it got me thinking about something else. The patterns I keep seeing – they’re not just credit union problems. Hell, I’ve been around long enough to see them everywhere, and from different angles.
How I Ended Up Here
Started out on a help desk at UPS back in Chicago when I was just a kid. Worked my way through networking, server support, end user support at IBM, Sears Holdings, picked up some coding along the way. I was all over the place – big companies, small companies, different roles. Ten years into my career, I’m sitting there thinking “what do I want to be when I grow up?”
That’s when a recruiter called. After looking at my background, he said something like “You’ve done a lot – help desk, networking, servers, end user support. You have a very diverse background. Have you ever thought about information security?”
Information security? Honestly, it hadn’t really crossed my mind as a career path. But that conversation was the start of falling down a rabbit hole I’ve never been able to climb out of – not that I’d want to.
So I jumped in. Medium-sized property management company first, learning the ropes. Then back to Sears for a few years – and let me tell you, that was an education. Three breach investigations, exposure to governance, SecOps, incident response, analysis. Lot of battle scars from that place. Then ten years ago, I moved out here to the farm and got into financial services for the first time.
To be honest, I was taken aback when I first got into financial services. The diversity of maturity blew me away – and actually made me feel pretty good about where we’d gotten to in retail. The big guys were well-funded with diverse security teams, but the smaller institutions were just trying to nail down the basics. And the vendors? I couldn’t believe how archaic their methodology and practices were.
Fast forward nine years, and there’s been steady improvement sector-wide. But now we’ve got ransomware holding people hostage, ransomware disguised as a middle finger after data exfiltration. To a degree, some of this reminds me of the beginning of the retail siege – it’s just different in some minor ways.
Same fundamental problems, though. Different scale, different consequences, but the patterns? Identical.
The Patterns That Won’t Break
And that’s what finally pushed me from writing internal analysis to putting this stuff out there. Because here’s what I keep coming back to: I’m tired of watching the same fundamental failures repeat across different organizations and timeframes.
I know that sounds harsh, but I’ve been in security for about 15 years now – since 2009. I’ve managed breaches, sat through regulatory examinations that would make your hair curl, and had more vendor calls than I care to count. And you know what I keep seeing?
The same patterns. The same failures. The same excuses.
Take the CloudFlare outage a few months back. Great incident response, right? Some companies had backup plans, rerouted traffic, and got back online fast. Everyone patted themselves on the back for their business continuity planning. But I’m sitting here thinking – wait a minute. CloudFlare isn’t just a CDN for a lot of these companies. They provide WAF protection, DDoS mitigation, all sorts of security controls. Did the companies who could bypass CloudFlare actually think about what they just turned off?
I wouldn’t be surprised if in a few months we see a breach notification here or there, and if there’s enough information released and we dig into it, it could stem from prioritizing getting back online over thinking through the security implications. Because I’ve seen this movie before.
Here’s the thing – whether you’re at a credit union, a manufacturing company, or a mid-size retailer, you’re not Amazon or Microsoft. Most organizations don’t have unlimited budgets or teams of security engineers. When something goes wrong, it’s usually a small team trying to figure it out while keeping the business running. Different budgets, different management priorities, different regulatory requirements – or sometimes no regulatory obligations at all. But the same fundamental challenge: making security decisions with limited resources. And I’m guessing that’s a lot more common than the industry wants to admit.
I can look at a proposed integration and see the Target data breach waiting to happen, just in a slightly different scale; but the basics are there. Not because I’m smarter than anyone else, but because I’ve been through the aftermath when they go wrong. I’ve seen vendors with network access that would make your head spin – and yeah, sometimes it’s literally HVAC vendors. Same industry, same access patterns, same blind spots that got Target in trouble back in 2013.
And here’s what really gets me: we, as security practitioners, all read about Target. We all said “lessons learned.” We updated our vendor management policies, required network segmentation, implemented better monitoring. But that’s only if you have the support of the business, the budget, and you’re not hyperfocused on immediate needs. The latter unfortunately is what I believe is why we’re still seeing the exact same attack patterns work.
When “Secure” Vendors Aren’t
I’ve sat in calls with vendors – you know, those companies that are supposed to be more secure than yours because their Software as a Service, better funded, because they’re “cloud native” and “built with security from the ground up.” Due diligence paperwork looks ok, the SOC2 looks comprehensive, talking about all their controls and compliance frameworks.
Then you get to the interactive technical questions, and sometimes they contradict what they gave in the Due diligence materials. Not minor discrepancies – fundamental differences in how they actually handle data encryption and access controls. I’ve heard everything from “we’re working toward that” to one memorable explanation that it was “aspirational.”
Aspirational. Like security controls are a vision board.
That’s when it hit me – we’re not just seeing the same technical patterns repeat. We’re seeing the same thinking patterns repeat. The same willingness to prioritize compliance theater over actual security. The same assumption that if you check the right boxes, you’re protected.
And the security industry isn’t helping. Most of the content out there is either theoretical frameworks that assume unlimited budgets, or vendor-sponsored thought leadership that’s basically marketing with better grammar. Where’s the practical guidance for organizations like mine? Where’s the analysis that asks “why does this keep happening” instead of just “here’s what happened”?
What Farming Taught Me About Security
I’ve been thinking about this farming analogy a lot lately. Yeah, I know, stick with me here. I grow corn and soybeans on about 400 acres outside of town. Started when I moved out here from Chicago about eight years ago. And farming teaches you things that translate pretty directly to a lot of general life and other industries.
You work with the land you have, not the land you wish you had. You can’t change your soil type or your climate, but you can understand them and work within those constraints. Some things take time to develop – you can’t rush soil health or crop rotation benefits. You have to plant before you can harvest. And if you don’t understand the patterns – weather patterns, market patterns, disease cycles – you’re going to struggle.
Some farmers can till their ground, others opt for no-till even though they have the option, and others are forced into no-till due to soil conditions or operating on highly erodible land. Then there’s always that old-timer who’s been farming since the ’80s and won’t change because “we’ve always done it that way” – even when the science shows better approaches.
Security practitioners fall into similar patterns. You’ve got those constrained by budgets and manpower, just like farmers forced into certain practices. Others who choose their approach based on what works for their environment. And then you’ve got the security equivalent of that old-timer – practitioners who want Fort Knox-level protection because that’s how they’ve always thought about security, even when it doesn’t help the business innovate or actually function.
Security is exactly the same as farming in these ways. You can’t wish for unlimited budget or perfect vendors. You can’t implement “zero trust” overnight, no matter what the marketing materials say. You can’t skip the foundational work of understanding your environment and your threats. And if you don’t recognize the patterns that lead to failures, you’re going to keep experiencing those failures.
Those farming principles have shaped how I approach security over 15 years: sustainable security isn’t about having perfect solutions, because there’s no one perfect solution to security or how to implement it. All of our industries are different, but the academic frameworks try to make us all the same. That’s not the case because the business, the industry, the day-to-day operations differ so dramatically. It’s about making better decisions with imperfect information and limited resources. It’s about pattern recognition that lets you see problems coming before they hit. It’s about practical risk management that acknowledges you can’t eliminate every threat, so you better understand which ones matter most.
What’s Missing from Security Content
That’s what’s been missing from the security conversation. We’ve got plenty of people selling solutions and pushing products. We’ve got researchers breaking down the technical details of every new attack. We’ve got compliance experts explaining the latest regulatory requirements.
But who’s connecting the dots? Who’s asking why the same or simlar patterns keep repeating? Who’s providing practical guidance for organizations that can’t afford to replace their entire infrastructure every time a new threat emerges?
I’ve been that person for the past 15 years – built two InfoSec programs from the ground up, been through data breaches, learned that saying “no” isn’t security’s role. I’ve gotten better at conveying risk instead of just being the roadblock the business sees me as. My last few audit cycles have become more about maturity – auditors having to write something rather than structural gaps because we’re no longer missing the basics. I don’t know everything, I’ve made mistakes, but I’ve learned that vendors don’t solve problems – they just rebrand when new buzzwords emerge. AI, zero trust, whatever’s next – none of it fixes a broken program, but some tools can help if you use your brain, question everything, and focus on how they actually break the patterns that keep making us vulnerable.
And I’m tired of keeping that knowledge to myself.
What Cultivating Security Will Be
So here’s what Cultivating Security is going to be: practical security wisdom for organizations that operate in the real world. Pattern analysis that connects incidents to systemic problems. Vendor risk guidance that acknowledges you can’t always walk away from a problematic vendor. Operational security lessons that work with limited budgets and small teams.
I’m not going to sell you anything. I’m not going to pretend I have all the answers. And I’m definitely not going to recycle vendor marketing as thought leadership.
But I am going to ask the uncomfortable questions that need asking. Like why we’re still seeing Target-style attacks a decade later. Like what it really means when companies bypass security controls for business continuity. Like whether our security has actually improved, or whether we’ve just moved the vulnerabilities to shinier infrastructure.
Because after 25 years in IT and Information Security, seeing the same patterns repeat, I think it’s time someone started documenting them. And explaining what they mean. And helping other security practitioners navigate them before they become incidents.
Welcome to Cultivating Security. Let’s see if we can break some patterns.
Podcast: Download (Duration: 15:10 — 8.2MB) | Embed
Subscribe to the Cultivating Security Podcast Spotify | Pandora | RSS | More