Over the past 20 years, we’ve seen an evolution in security requirements and associated best practices. Looking back, we started with simple identity management and basic firewalls to protect our digital assets. The username/password rules started with few restrictions on password length, re-use, characters, etc. In 2006, I spoke to an audience about password security and asked the room if their passwords used a dog’s name, favorite sports team, birthdays, and street names. Eighty percent of the hands went up, and I reminded the room that all this info was available on their Facebook pages.
In these early days, big corps weren’t yet exposing complex code to their public users. As a result, the firewall rules provided boundary safety but didn’t yet require more complex protection mechanisms.
BAD ACTORS
Simultaneously, “bad actors” were maturing and improving the complexity of their attacks. Their attacks became more creative, persistent, and resistant to discovery. Assaults began using a diverse range of exploits, including unsecured server-side calls, poorly protected APIs, and bots overloading websites with auth requests or general traffic.
CAT AND MOUSE
“Cat and mouse” is an apt metaphor - every new threat resulted in crafty expert responses by technology teams to protect from every new attack. In 2025, however, chasing the mouse isn’t the right approach. Today, we need to incorporate a security mindset into all of our solutions. We need to remove the cheese.
Companies have been allocating increased budgets to manage and prevent security risks. As important as the dollars are, it’s equally essential to advocate for a corporate environment that puts security first. In my experience building custom financial solutions, we’ve learned to integrate DevSecOPS into our development lifecycle. Using tools to scan for vulnerabilities in code before it’s released to production.
BEST PRACTICES
In some cases, companies prioritize urgency over security best practices. To satisfy a deadline, they avoid peer code reviews, environment segmentation (and access restrictions), and/or thorough testing cycles. To ensure that we are looking out for our “future selves,” we must, when estimating, incorporate the time required to satisfy good security practices ahead of production deployments. And resist the temptation to shed time by reducing our efforts in these areas.
As a consultant, I’ve guided companies to identify the valuable assets in their environment, whether it’s IP, customer data, brand, etc. Then, establish a plan to ensure they have the security apparatus to manage the risk of attacks. Creating a corporate culture that emphasizes a security mindset requires a commitment from the whole organization.