Behind the Firewall ft. Joseph Kirkpatrick
by Morgan Prost / May 21st, 2026
Audits work best when there’s transparency, not secrecy.
During a recent engagement, Joseph encountered a situation that revealed much more than just a technical risk… a cultural one. The client confirmed their penetration test was set for the weekend, but buried in the same email thread were plans to shut down vulnerable servers that Friday at 4:00p.m., then quietly bring them back on after the test.
The intent behind this wasn’t malicious, it was protective, but it highlights a critical issue that is more common than you might think: security culture isn’t just about tools and tests, it’s about transparency, trust, and alignment.
If a team’s first instinct is to hide risk instead of address it, that’s the real vulnerability. In the worst-case scenario, this behavior can lead to blind spots that no amount of scanning or testing will catch.
Once identified, we advised the client to foster a culture where risks are surfaced, not buried. Security works best when everyone is aligned on the same goal: protecting the organization, not just passing the test.
How can organizations build this kind of culture?
– Leadership buy-in: Executives must set the tone that honesty about risk is valued.
– No-blame reporting: Create safe, anonymous channels for reporting vulnerabilities.
– Reward transparency: Recognize and celebrate employees who surface risks.
– Train for behavior: Teach teams what to do when they find issues—and why it matters.
– Make reporting easy: Simple processes and immediate feedback encourage openness.
The strongest defense isn’t built through code, it’s built through culture.
