The Day I Learned Cybersecurity Existed Before “Cybersecurity”
A department’s IT personnel quit the job, changed the administrator password and disabled all the user accounts on a Windows NT server, so no one in that department could login to do their work.
Back in the early 2000s, I faced an unexpected challenge at work.
A department’s IT personnel quit the job, changed the administrator password and disabled all the user accounts on a Windows NT server, so no one in that department could login to do their work.
I wasn’t a part of their IT team, but my supervisor asked if I could step in. So armed with curiosity, NT knowledge, research and testing, I found a vulnerability that allowed me regain the administrator access, restore access to the user accounts, and patched the vulnerability.
Back then, terms like ethical hacking and penetration testing were just starting to circulate. The CEH certification was in its early days. I didn’t think of myself as a “pentester” as that term was not even well known. For others and myself, it was simply problem solving.
Looking back, I realize what that moment taught me, cybersecurity didn’t suddenly appear with certifications and frameworks. The threats, the challenges, and the solutions have always been there.
What Twenty Years in Security Has Taught Me
Security Work Existed Before 'Cybersecurity'
In 2002, I was already doing what today we’d call penetration testing, managing access controls, patching vulnerabilities, and thinking like an attacker to defend systems. It was the same work security professionals do today, just without the vocabulary or formal structures.
Frameworks Are Maps, Not Destinations
Frameworks and certifications like CEH or National Institute of Standards and Technology (NIST) are valuable, but they’re not endpoints. They give us a shared language and proven methodologies. The real goal is finding the balance between security and business operations.
Early in my career, I leaned too far toward “perfect” security, locking systems down so tightly that I blocked legitimate work. I quickly learned that security that gets in the way of business isn’t security at all.
Innovation Beyond Certification
Certifications build your foundation, but innovation comes when you see their limits and adapt. That mindset led me to create:
- A WordPress hardening plugin that leverages Linux immutability.
- The SATA methodology (Seeded Account Threat Awareness), designed to bring real-world phishing intelligence into awareness training.
Both ideas stand on established foundations, but adapt them for today’s practical challenges.
Remember IT Exists to Support Business
Too often, IT professionals expect business operations to bend around their security models. That mindset only creates friction.
The role of IT has always been support for businesses and protect their processes, not primarily to change them.
When deploying new systems or protocols, do them in phases, so the business can adapt. We should seek to protect the existing business process first before trying to change it. Most times, adaptations are enough. Rarely do you need to redesign the business process.
Certifications are Learning Tools
We should treat certifications as learning tools and guides on how to approach various technical challenges or how to best design systems and protocols to prevent or reduce challenges. They should not be seen as ends in of themselves because things always keep changing. Focus on mastering the fundamentals and then adapt them to your unique situations.
Some Basics That Are Still Important
Technology always changes, but there are some core principles that will always be the same:
- Logs - allow us to identify anomalies early and investigate their causes.
- User management - give the least amount of privileges to users to reduce risks.
- User awareness - strengthen through awareness the weakest link in security, the user.
- Virtual labs for testing - break things in labs, not in production.
- Recovery and mitigation procedures - no defense is perfect, so recovery is vital.
These worked for me in the past, and still work today.
The Bottom Line
Cybersecurity isn’t about finding that perfect setting or configuration, but:
- Protecting what matters to a business or organization
- Ensure that persons can do their jobs
- Adapt changes and threats as they come
This approach allowed me help a business to restore its function, and it continues to guide me in my work today.
💬 What about you?
Did you ever practice “cybersecurity” before it even had that name?
