TL;DR
Security is mostly boring work nobody wants to do. Patching, access reviews, and backups. I ran enterprise security for two decades, and the one time everything went wrong, it was backups that saved us, barely. We had a triple failure, snapped tapes, and a week of lost data, and one brilliant Oracle DBA named Elvis Niba pulled almost all of it back. The boring work is the whole job. The exciting part is what happens when you skipped it.
Nobody gets into security because they love patching. The work that actually keeps you safe is dull, repetitive, and easy to put off. Which is exactly why most companies put it off, and exactly why they get hurt.
I ran technology and security for a national retailer for two decades, and now I ghostwrite books for security leaders. The single most important lesson I can pass on is unglamorous: the boring work is the job. Here is what it looks like.
Patching, and why it is so annoying
Patching matters. Unpatched systems are how a lot of attacks succeed, because the hole was known, the fix existed, and nobody applied it. The attacker did not need to discover anything. They just walked through a door the vendor had already told you to lock. A huge share of real breaches trace back to a patch that was available for months and never installed.
So you patch. But patching is genuinely annoying, because patches force reboots, and the reboot never comes at a good time. The way Microsoft works, it will reboot your machine right in the middle of whatever you are doing. It does not care that you had work open or that it is the middle of your busiest day.
So here is what I always did. Turn off auto-patching. Then patch manually, on a schedule, after I had a chance to test the patch in a staging environment first. Auto-patching sounds responsible, but it hands control of your timing and your stability to a vendor who does not know your environment. Manual patching on a tested schedule keeps you both current and in control.
Never patch blind. Test it in staging first. I learned that when a patch blue-screened every machine we had and we spent days rolling it back.Share on X
That staging step is not optional, and I learned why the hard way. Back in the Windows NT days, we pushed a patch that caused blue screens on every system. Every one. The machines would not boot. We had to roll the whole thing back and clean up the mess across the entire environment, by hand, while the business waited. It was days of work to undo something we had applied in an afternoon. After that, nothing got patched until it had been proven safe on a test box first. The lesson cost us dearly and I never forgot it: a patch is a change, and every change can break something, so you test it where breaking is cheap before you apply it where breaking is expensive.
Access reviews, the quiet control
The other boring habit is reviewing who can reach what, and pulling access the moment it is no longer needed. When someone changes roles, their old access should go away that day, not six months later when somebody finally notices.
Here is how access quietly becomes a problem. Someone joins, gets access to do their job. They move to a new team, get new access, but nobody removes the old. They take on a project, get more access, project ends, access stays. Year after year, person after person, the company accumulates a sprawl of permissions that nobody is tracking, where half the people can reach things they have no reason to touch. Each one is a key that an attacker, or a disgruntled employee, can use.
This is the control that limits insider damage, and it is the one that most directly addresses the threat I describe in what actually gets attacked first, where the insider turns out to be the most common and most missed vector. It is also the control that quietly rots, because nobody owns it and nothing breaks visibly when you skip it. The patching failure announces itself. The access-review failure stays invisible, right up until someone leaves angry and discovers their login still works. The discipline of regularly reviewing access and ripping out what is no longer needed is tedious, thankless, and one of the highest-value things you can do.
Backups, and the night everything failed at once
Then there are backups, the most boring thing in all of technology, and the thing that once saved my entire operation. Let me tell you how, because it is the best argument for boring work I have.
Back in the earlier days we backed up in layers, because one backup is not really a backup. Every night we copied our whole system, all our files, to a duplicate set of disks. That was the first layer, fast to make and fast to restore from. From there, we copied it over the network, over T3 lines, to a remote site, so that even if our building burned down we could recover somewhere else entirely. And on top of all that, we ran a tape backup every night, magnetic tape, the final fallback you could put on a shelf and carry out the door.
Three layers. Disk, remote, tape. Local for speed, remote for disaster, tape for last resort. You would think that was bulletproof. That is the whole point of layering, that the odds of all of them failing at once are vanishingly small. Then we had the worst night of my career, and learned that vanishingly small is not the same as zero.
A power outage spiked a surge into the system and physically destroyed hardware. Our main disks failed. The disk-to-disk backup failed in the same event, because it was on the same power. And the T3 lines to the remote site had already been down for several days before the outage, so there was no remote copy waiting either. A triple failure, all at once, the thing layering is supposed to make impossible, and it happened anyway.
We had three layers of backup. A power surge took out all three the same night. The one thing that saved us was a brilliant DBA and a week-old tape.Share on X
So we went to the tapes. Our last line of defense, the one that survives when everything electronic dies. The tapes were physically snapped. Broken. The one backup that was supposed to be unkillable had failed in the most basic physical way, and we had to go back about a week to find tape we could actually read.
What saved us was a person. My Oracle DBA, Elvis Niba, was one of the best database people I have ever worked with. He was originally from Cameroon, and his mother named him after Elvis Presley. When everything else failed, Elvis walked the data, rolling it forward from partial backups and transaction logs, reconstructing what had happened in the days the readable backup did not cover. He rebuilt the database almost from nothing, piecing it together from fragments that a lesser engineer would have called unrecoverable. We recovered virtually all of it. By rights we should have lost a week of business. Because of him, we lost almost nothing.
I tell that story whenever someone tells me backups are boring. They are. They are also the difference between a bad week and a dead company. And notice the real lesson hiding inside it: even three layers of backup can fail, so the final safeguard is not a system at all, it is a person who deeply understands the data and can rebuild it when every automated safety net tears. That is why ransomware, which I describe in what gets attacked first, is ultimately a backup problem. The defense against your files being encrypted is a clean copy you can restore, which is the same boring discipline that saved us that night.
Boring is the point
Patching on a schedule, tested first. Pulling access the day a role changes. Backing up in layers and testing that the backups actually restore, because a backup you have never tested is just a hope with a label on it. None of it is exciting. None of it shows up in a vendor demo. All of it is what actually keeps you alive.
The companies that get this right are the ones where the boring work is simply how the team operates, not a project, not a heroic push before an audit, just the daily grind that someone owns and does. The audit, when it comes, is easy, because everything is already the way it should be. I get into that distinction in what eight PCI audits taught me about real security versus checkbox security.
When I work with a security leader on their book, this is often the most valuable material, because it is the part they lived and the part no framework teaches. The war story about the night everything failed is worth more to a reader than any list of best practices. The judgment underneath it is what only experience buys.
Frequently Asked Questions
Get the Free Guides
Join the list and get my condensed books, free. No spam, unsubscribe anytime.
By subscribing you agree to receive occasional emails. Unsubscribe anytime.
Do not let systems auto-patch, because patches force reboots at the worst possible time and a bad patch can take down everything. Test each patch in a staging environment first, then apply it manually on a schedule once it is proven safe. I learned this after a Windows NT patch blue-screened every machine we had and took days to roll back.
Because they are the only reliable recovery when everything else fails, from ransomware to hardware death. Back up in layers, local disk, a remote site, and a separate medium, and test that the backups actually restore. I once had all three layers fail in one night from a power surge, and only a brilliant DBA rebuilding from partial data saved us.
It is the practice of regularly checking who can reach what, and removing access the moment it is no longer needed. Access quietly accumulates as people change roles and old permissions are never revoked, leaving keys everywhere. When someone changes roles or leaves, their old access should be pulled that day. It is the quiet control that limits insider damage.
Because attacks succeed through the gaps the boring work would have closed. The unpatched server, the login that was never revoked, the backup nobody tested. None of it is exciting, none of it shows up in a demo, and all of it is what actually keeps a company alive. The companies that do it well treat it as daily operation, not a heroic push.
Always. A backup you have never restored from is just a hope with a label on it. Tapes snap, copies corrupt, and restores fail in ways you only discover when you actually try. Test that your backups restore cleanly, regularly, so the day you need them is not the day you find out they were broken.
Yes. I ghostwrite books for CISOs, security founders, and technical executives who want their real experience on the page. The war stories and hard-won judgment, not just the best-practice lists, are what make a security book worth reading. You can see how I work on the cybersecurity ghostwriting page.