By David Soto Dalmau (ERNI Spain)
Cybersecurity is a shared responsibility in a world full of modern complexities and new threats. To keep systems secure, three roles work together: secure software developers, compliance specialists and ethical hackers. In this article, we tell a fictional yet strikingly familiar story about ‘The Good, the Ugly and the Bad’ – with their strengths and essential characteristics in a security-minded organisation.
There’s something timeless about a classic Western. A lone rider crosses a barren landscape, danger lurking behind every rock, trust as scarce as water in the desert. Guns are drawn, deals are broken and survival depends not just on who’s the fastest – but on who understands the game.
Swap the revolvers for laptops, and the dusty towns for networks and systems, and suddenly the Wild West doesn’t feel so distant. In cybersecurity, much like in the old Westerns, we navigate an unpredictable frontier. Threats come unannounced. Allies may turn. And victory isn’t about brute force – it’s about outsmarting your adversary, securing your turf and knowing when to shoot… And when to code.
At ERNI, we recognise these dynamics all too well. Every client engagement is a new town, with its own rules, its own sheriff and its own lurking dangers. That’s why we ride into each project with a trio of experts: ‘The Good, the Ugly and the Bad’. Each one with a purpose, each one with a role, and none of them truly effective without the others.
This isn’t just a metaphor – it’s a method. And it’s what guides our approach to building, regulating and testing secure systems in a digital world that often feels as lawless as the frontier. And it is at this frontier where our tale begins… In a far-off digital Wild West, where firewalls are the new adobe walls and bounty hunters are called ‘pentesters’ (penetration testers), three figures ride into the cybersecurity frontier: ‘The Good, the Ugly and
the Bad’.
This isn’t a tale of shootouts at noon, but of simulated attacks, tedious regulations and unsung heroes who code with principles. A paradox: to protect ourselves from chaos, we need a little chaos, a dash of law and a guardian who knows when to draw their trusty weapon: code.
The Good: Secure development
The Good wears a digital lab coat, fingers stained with coffee and clean code. They’re the ones who design securely from the start, applying ‘secure by design’ principles and reviewing every component, every dependency and every endpoint. Their ethics are grounded in professionalism – not fear of auditors or attackers, but respect for users. The Good documents, validates input, encrypts communications and anticipates what might go wrong before anything does. They rely on models like STRIDE, use SAST and DAST tools, and follow frameworks like OWASP ASVS. But they also have the soul of a storyteller: telling a tale of prevention, intelligent design and accountability.
The Ugly: The unwanted regulations
The Ugly arrives in a grey suit with a clipboard. They talk about GDPR, ISO 27001, NIS2 and other abbreviations that make tech teams sweat. They’re the auditor, the compliance officer, the risk manager. No one invites them to creative meetings, but everyone calls when something breaks. Their ugliness lies not in function, but in perception: seen as a burden, not a shield. But the Ugly embodies the Greek logos – rationality that imposes structures, controls and processes. They demand encryption evidence, access controls and vulnerability management. Yes, sometimes it feels like bureaucracy, but with
out them there are no boundaries, no accountability, no justice when systems fail. The Ugly turns “we should” into “we must” – unpopular, yet vital.
The Bad: The ethical hacker
The Bad slips in the back door with a crooked grin. They wear hoodies, work in dark terminals, and ask uncomfortable questions. They’re the pentester, the red teamer, the offensive cybersecurity consultant. Their role: to attack their own client. From the outside, they seem villainous, but their ethics are clear: find flaws before the real villains do. The Bad channels pathos – the urgency, the imminent risk, the adrenaline that reminds us no system is unbreakable. They wield Metasploit, Burp Suite, custom scripts and a lot of creativity. They break things so others can fix them. Though they sometimes annoy the Good or irritate the Ugly, they are essential to completing the security cycle.
A circular paradox
The Good builds secure systems but can’t foresee everything. The Bad tests them, hunting for that 1% of
human or technical error. The Ugly watches, documents, enforces and ensures that lessons aren’t forgotten.
But it’s also true that without the Good, the Bad would only find ruins; without the Bad, the Good would live in false confidence; and without the Ugly, all they’d learn would be lost in the chaos of sprints. The paradox is that they need each other, challenge each other, complete each other. There is no security without design, validation and compliance. And no progress without accepting that the Bad may be right, and the Ugly – though annoying – protects what the good builds.
The ERNI approach: When the three ride together
At ERNI, we don’t just tell this story; we live it. Our approach to cybersecurity integrates these three archetypes into our service model, aligning them with the real-world needs of our clients.
When our clients need robust, future-proof digital products, we bring in the Good: our secure software development teams, who apply best practices, from code reviews to threat modelling, ensuring that security is embedded from day one.
When compliance becomes critical, whether for healthcare, finance or public infrastructure, the Ugly steps in: our regulatory and governance experts guide organisations through the maze of legal and industrial requirements. They don’t just tick boxes; they design systems that are auditable, reliable and resilient.
And when clients want to challenge their assumptions and harden their defences, the Bad gets to work: our offensive security teams perform ethical hacking, red teaming, and simulate real-world threats to test limits and expose blind spots.
Each role is valuable on its own, but at ERNI, we understand their greatest power comes from their synergy. We tailor this trio to the maturity, needs and industry of each client – sometimes starting with the Ugly to build foundational trust, other times unleashing the Bad to map attack surfaces, or letting the Good lead a greenfield product with security baked in.
We believe that security isn’t just a feature – it’s a practice. And by embracing all three perspectives, we help organisations not only defend themselves but grow with confidence in a digital world that changes faster than a gunslinger’s draw.
Epilogue: A shootout avoided
In this story, there’s no final duel. The Good doesn’t shoot the Bad, nor does the Ugly slap on handcuffs. Instead, they work together: the Good codes with foresight, the Bad tests with cunning, and the Ugly writes the rules of the game.
The moral is simple: effective cybersecurity isn’t achieved by eliminating the Bad or ignoring the Ugly. It’s achieved when all three understand that the digital frontier can only thrive if they ride together. So, the next time you think about security, ask yourself: Where are your three outlaws? Because if one is missing, someone else might draw first.
Next episode: Into the frontier
This was just the opening scene. In the next articles, we’ll ride deeper into the territory of each of these three figures – exploring their tools, their mindset and their code of honour. We’ll see how the Good builds, how the Ugly governs and how the Bad breaks, all through real-world cases that bring their roles to life. Saddle up. The story’s just getting started.
Cybersecurity is also the focus of our recent eBooks. Feel free to explore one of them by clicking on the banner below.
