I’ve never classed myself or behaved like a technology purist. In fact, quite the opposite. Don’t get me wrong - I’m no maverick but I’ve never been a fan of opening a Microsoft exam prep guide and quoting sections of it to state my case. No. I prefer to leverage my own experience - knowledge that has been acquired over 28 years, and earned “on the tools”. In most cases, doing things “by the book” from a technology standpoint is nothing more than a recipe for disaster - rather like setting yourself up for a fall.
If we follow all industry standards in terms of security architecture, there’s nothing unique about the environments we claim are completely secure - in actual fact, they’d all be carbon copies of each other so when the bad guys break one, they’ve effectively broken every security model across the board. Purists also need to understand that security isn’t a product. It’s a collective set of controls, standards, configuration, and technology that should be bespoke for every environment. As a classic example, an organisation can follow the NIST framework, and ultimately land up with something so rigid that essential change in the name of the evolving security wheel takes so long that a zero day or other associated vulnerability is allowed to go unnoticed - effectively flying under the radar because of bureaucracy or red tape - and because there is no flexibility within that same standard that allows for this type of scenario. This is why so many organisations will always carry an unnecessarily elevated level of risk in terms of unwittingly creating their own vulnerabilities by adhering to rule.
Standards such as ISO 27001 etc aren’t exactly forgiving either - but what would happen if you took the most compatible and flexible components from both frameworks and generated your own bespoke (and by definition, unique) security program ? I’ve actually done exactly that, which is probably enough to send those purists into a frenzy whilst they consult their textbooks to bolster their own (often jaded) belief that so called industry standards are the only way, and are the holy grail to securing a network. The real point here is that criminals tend not to bother taking security exams - they borrow established techniques from others who have succeeded in the past, and then create their own unique battle plan once they understand the underlying components and layout of their target. No attack vectors are based on “best practice” - they are all unique, and often tailored directly to fit the organisation they are targeting.
For purists to continue down their thought process is both outdated and dangerous. There is not a single technology alone that will behave like a silver bullet - the sooner we all realise that, the stronger security frameworks and associated programs will become.