Security Isn't a Product — It's a Posture

I've walked into organisations where leadership genuinely believed they were secure because they'd purchased the right products. Firewall: check. Endpoint protection: check. Annual pen test: check. And yet their DNS was leaking internal hostnames to the public internet, lateral movement was trivial once past the perimeter, and nobody had looked at their Active Directory configuration since the original deployment.

Security isn't a stack of products. It's a posture — the sum of how your systems are configured, monitored, and maintained over time. Products help, but only if someone's actually tuned them to your environment.

And here's the uncomfortable baseline most leadership teams need to hear: if you haven't seen an attack, you missed it. Your systems are being probed, scanned, and tested constantly. That's not speculation — it's the reality of having an internet-facing presence. You're either catching those attempts and responding to them, or they're happening and you don't know. The absence of alerts isn't peace. It's silence — and silence in security is never a good sign.

It doesn't help that most people's mental model of a threat actor is a lone hacker in a basement or a state-sponsored team overseas. That framing makes them completely miss the person sitting in their lobby right now, connected to the guest WiFi on a mobile device. Most guest networks aren't properly segmented from the corporate network. A competent attacker doesn't need to breach your perimeter from the outside — they can walk through the front door, sit down with a coffee, and start mapping your internal infrastructure from the couch.

And all of that obvious digital danger draws attention away from the quieter risks. The friendly delivery driver who stops to chat with your team at their favourite lunch spot. The stranger who holds the door open and walks in behind an employee. People are more open in casual settings — and someone who knows what to listen for can learn more about your systems, your schedules, and your access controls over a sandwich than most scanners will find in a week. Meanwhile, proximity tools can clone access badges and key fobs without anyone noticing a thing.

While you're thinking about that: how secure are your elevators?

DNS: The Forgotten Attack Surface

DNS is the backbone of every network interaction, and it's almost always overlooked. Here's what I see regularly:

  • No DNS filtering: Employees can resolve any domain, including known malware command-and-control servers. Basic DNS filtering is one of the cheapest security controls that exists — and one of the most effective against commodity attacks.
  • Internal zone leakage: Internal DNS records (server names, IP schemes, application names) resolvable from the public internet. This is free reconnaissance for attackers.
  • No DNS logging: If you can't see what's being resolved, you can't detect data exfiltration over DNS — one of the oldest tricks in the book.

DNS hygiene isn't glamorous, but it's one of the highest-impact, lowest-cost security improvements any organisation can make.

Lateral Movement: The Real Threat

Most breaches don't start with a sophisticated zero-day exploit. They start with a phishing email, a stolen credential, or an unpatched VPN appliance. The initial foothold is almost boring.

What makes a breach catastrophic is what happens afterlateral movement. Once inside, can the attacker move freely? In most networks I assess, the answer is yes. Flat network architecture means one compromised workstation can reach every server. Service accounts with domain admin privileges are common. Network segmentation exists on a diagram but not in the actual firewall rules.

The initial entry point is almost never the real problem. The real problem is how far they get once they're in.

The initial entry point is almost never the real problem. The real problem is how far they get once they're in.

Active Directory: The Keys to the Kingdom

If your organisation runs Windows (and statistically, it does), Active Directory is the single most critical piece of infrastructure you own. It controls who can access what, everywhere. And in most environments:

  • Group policies haven't been audited in years
  • Legacy service accounts have far more permissions than they need
  • Kerberoasting, AS-REP roasting, and NTLM relay attacks are trivially executable
  • No one monitors AD replication traffic or unusual authentication patterns

An attacker who compromises Active Directory doesn't need to hack anything else — they can grant themselves access to everything. Hardening AD is not optional. It's foundational.

Patching Isn't Just for Software

Everyone knows you should patch your servers and workstations. Fewer people think about:

  • Firmware on network devices: Switches, access points, and firewalls run firmware that has vulnerabilities just like any other software
  • IoT and OT devices: Printers, cameras, HVAC controllers, badge readers — all network-connected, rarely patched, often running ancient embedded OS versions
  • SSL/TLS certificates: Expired certs don't just cause browser warnings — they break automated processes and can mask man-in-the-middle attacks

If it's on your network and it has an IP address, it's an attack surface. Full stop.

The Human Layer

No amount of technology compensates for an untrained team. But "security training" as most companies implement it — a yearly compliance video followed by a quiz — isn't training. It's theatre.

Effective security culture means:

  • Regular, realistic phishing simulations — not to punish, but to build pattern recognition
  • Clear incident reporting paths — if an employee clicks a bad link, do they know who to call? Will they be punished for reporting it? (If yes, they won't report it.)
  • Role-based awareness — Finance gets targeted differently than engineering. Generic training misses this entirely.

Security as Culture, Not Compliance

Most security programmes are built around warnings, restrictions, and punishment after mistakes. That approach creates compliance — but not engagement. People follow the rules because they have to, not because they understand why. And the moment something falls outside the rulebook, they freeze, ignore it, or work around it.

A better model is to make good security behaviour visible, rewarding, and part of the company's identity. When employees are recognised for reporting suspicious activity, following secure practices, and reinforcing good habits in their teams, security stops feeling like a burden imposed by IT and starts feeling like a shared responsibility.

I take this further than most. One example: rather than just telling employees "don't plug in unknown USB drives," I structure programmes where the security team plants test drives around the facility — in break rooms, parking lots, conference tables. The drives contain harmless software that identifies them as a test and notifies the security team when one is found. If an employee brings the drive to security without plugging it into a network device, they earn points toward a team reward — an event day, a team lunch, something that builds camaraderie while reinforcing the right instincts.

What happens over time is powerful: people start actively looking for threats instead of passively ignoring them. It becomes a kind of security scavenger hunt — and it turns out it's very hard to hide a malicious device in an environment where everyone is already hunting for one. The culture shifts from "IT's problem" to "our problem," and that shift is worth more than any firewall upgrade.

Done properly, this kind of approach improves morale and team culture while hardening your security posture. That's not a trade-off. It's a multiplier.

It's very hard to hide a malicious device in an environment where everyone is already hunting for one.
The Difference

Compliance-driven security asks: "Did everyone complete the training module?" Culture-driven security asks: "Would your team recognise a threat and know what to do about it — right now, without a manual?" One protects you from auditors. The other protects you from attackers.

What CxOs Should Be Asking

You don't need to become a security expert. But you do need to ask the right questions. Start with these:

  • If we were breached today, how long would it take us to know?
  • Can a compromised workstation reach our most critical data?
  • When was our Active Directory configuration last audited?
  • What devices on our network are we not patching?
  • If an employee reports a phishing attempt, what happens next?

If your team can't answer these confidently, that's not a failure — it's a starting point. The risk isn't in not knowing. It's in not asking.

Do You Know What Normal Looks Like?

Those questions above are strategic — the kind a CxO should be asking their team. But there's a deeper layer underneath them, and it's the one that separates organisations that have security tools from organisations that actually understand their environment.

If I asked you these right now, could you answer without guessing?

What memory percentage does your production server normally idle at?

How many DNS requests do your AD servers typically generate in a day?

Which systems are expected to communicate with your domain controllers?

What does normal outbound traffic look like from your critical servers?

What does routine privileged account activity look like in your environment?

If any of those patterns changed today, who would notice first?

Each of those questions escalates. The first is a simple resource metric — the kind of thing someone should know about a system they're responsible for. The next few move into network behaviour and communication patterns. The last one asks something most organisations haven't answered honestly: do you have operational awareness, or just operational tools?

You can't defend an environment you haven't defined. If you don't know what normal looks like, you won't recognise abnormal until it's already damage.

If those questions are hard to answer, that doesn't mean your team is careless. It usually means nobody was asked to define normal before being asked to defend it. That's a gap in process, not in people — and it's one of the most common things I find in environments that otherwise look well-resourced on paper.

This is where most security investments quietly fail. The tools are in place. The dashboards exist. But nobody has established the baselines that make those dashboards meaningful. An alert for "unusual DNS volume" can't even exist if no one has defined what usual DNS volume looks like. A spike in privileged account authentication means nothing if you haven't mapped what routine activity looks like first.

The organisations that catch threats early aren't the ones with the most expensive tools. They're the ones that have done the unglamorous work of defining what their environment looks like when nothing is wrong — so they notice immediately when something is.

The Bottom Line

The attacks that breach companies aren't usually sophisticated. They're opportunistic — exploiting gaps that exist because no one looked. DNS misconfigurations, flat networks, stale AD permissions, unpatched firmware, untrained humans, and physical access points nobody thought to question. These aren't exotic threats. They're infrastructure basics that get overlooked in the rush to buy the next security product.

If you're a CxO who suspects there are gaps you can't see, that instinct is worth acting on. An infrastructure security posture review — looking at your environment the way an attacker would — is usually the fastest way to find what's been hiding in plain sight. Let's talk about what that looks like for your organisation.