Dexter’s Halloween Survival Code, for Security People Who Prefer Fewer Bodies

News and information from the Advent IM team.

Who is Dexter?
Dexter Morgan is a fictional blood-spatter analyst for Miami Metro who moonlights as a vigilante killer. He follows a strict set of rules, “the Code,” to target only proven murderers and to avoid getting caught. Morally thorny, yes, but the interesting bit for us is the discipline. He survives by sticking to a code.

Every October we get the spooky metaphors, haunted firewalls and ghosted backups. Let’s take a sharper blade to it. Dexter’s “code” kept chaos contained. Flawed hero, tidy outcomes. You do not need to stalk the Miami nightlife to appreciate the lesson. Your organisation needs a survival code too, a simple set of rules that keeps ethics first, risk managed, and evidence neat enough for an auditor to smile. Think of it as Halloween housekeeping for GRC, information security, and business continuity.

The twist is this, Dexter’s code was not about the kill, it was about control. In business terms, not the cool new tool, but the discipline that makes tools worth the money. This is SO Advent IM…

Why a code at all

Policies are intent. Controls are behaviours. Codes are habits you keep under pressure. When the alarms go off at 2am, when a supplier phones in a “small issue”, when your CFO asks why cyber insurance has exclusions, it is the code that tells people what to do next. The code must be short, memorable, and aligned with GRC. It should bake continuity into daily operations, not sit in a glass box labelled “break only during ransomware”.

The Dexter-ish Survival Code for GRC, InfoSec and Continuity

Use these as headings on a wall, on a runbook, or in the front of your BC plan. Keep them human. Keep them real.

  1. Know your target, then verify
    Work with evidence, not vibes. Asset inventories up to date. Data maps that show flows and sensitivity. Third parties risk-assessed before they touch anything important. Verification is the difference between a hunch and a defensible decision.
  2. Never act without a plan
    Change control, incident playbooks, tabletop exercises. Do not improvise controls mid-breach. Pre-authorise decisions such as isolating a segment, pulling the internet link, engaging legal counsel, informing the regulator. Plans turn panic into choreography.
  3. Limit collateral, contain quickly
    Network segmentation, least privilege, MFA everywhere that counts, privileged access managed like uranium. If something does go wrong, you want the smallest possible blast radius and clean lines for forensics and recovery.
  4. Leave a clean room, document everything
    Evidence matters. Tickets, logs, timelines, call notes, decisions with rationale. During and after an incident, your best defence is a tidy trail. Auditors like order, regulators like honesty, insurers like proof.
  5. Follow the rules you wrote
    Policies that are pretty but unused are horror props. Align practice with policy, then prune anything ornamental. If a rule exists, enforce it. If you cannot enforce it, rewrite it. Compliance is not theatre, it is muscle memory.
  6. Pick the right targets for controls
    Not every risk is a monster. Prioritise crown jewels. If a control does not reduce the likelihood or the impact on something material, it is costume jewellery. Tie every control to a risk and a business objective.
  7. Do not work alone
    Buddy checks, four-eyes on sensitive changes, comms with legal, HR and PR. Security is a team sport. Even Dexter had a lab. Build your internal relationships before you need them.
  8. Respect the innocent, design for people
    Security that trips up users creates workarounds. Reduce friction where you can. Support whistleblowing and near-miss reporting without blame. Train in context, little and often. Culture is the control that powers all other controls.
  9. Keep your tools sharp, but simple
    Patch, retire, consolidate. Fancy kit rusts fast without care. Prefer automation that fits into your processes over gadgets that need their own babysitter. Simpler estates recover faster.
  10. Always have an exit
    Backups tested for restore, not just for presence. Contracts with right-to-audit and termination clauses that let you leave a bad supplier. Crisis comms templates that cover customers, regulators, and the board. Recovery paths should be boring, not cinematic.

How the code flows through GRC into continuity

GRC provides the spine. Governance gives roles and authority. Risk shows where the danger sits and how to treat it. Compliance anchors you to laws, standards and contracts. Business continuity is where it all proves out, the practical “keep going” engine that starts when something hits your fan of choice. If your code is alive inside governance and risk, your continuity plan is already halfway done.

Picture a supplier compromise. Governance has delegated authority to the incident lead, pre-approved playbooks exist, risk has highlighted the supplier as high impact, compliance requirements define who must be told and when. Continuity kicks in to reroute processes, bring up alternates, and keep cashflow moving while you contain and clean. No panic, no improvisation. Just the code, executed.

A Halloween check-up, five quick scenes

Scene 1, the lab.
Can you produce an asset register, data inventory, and third-party list that match reality within the hour, complete with owners, sensitivity, and recovery time objectives. If not, start here.

Scene 2, the plastic sheeting.
Could you isolate a compromised endpoint, segment, or supplier link in minutes, then prove it. Test the control without breaking the business. If it takes a change board to pull a cable, your code is wordy, not real.

Scene 3, the dark passenger known as legacy.
Identify a single legacy system that gains you more risk than value. Put a retirement plan on it. Set a date. Mean it.

Scene 4, the calm phone call.
Draft one page of incident comms per audience, customers, employees, regulator, board. Use plain language, state facts, commit to updates, avoid speculation. Store it where people will actually find it at 2am.

Scene 5, the clean exit.
Restore a backup of a critical service into a quarantined environment. Time it. Document the steps you actually took, not the ones you imagined. If you cannot restore, you do not have a backup, you have a false sense of security in a cape.

Where organisations drift off the code

  • Policy sprawl. Too many documents, not enough behaviour. Consolidate into a simple hierarchy, from board principles to control standards to procedures.
  • Unowned risks. Risks sit in a register like ghosts at a party. Assign owners who have budget and authority, set review dates, track treatments to completion.
  • Supplier happy path. Contracts assume sunshine. Add security schedules, right-to-audit, data handling, onward sub-processor rules, and explicit breach notification timing.
  • Testing by PowerPoint. Tabletop only is not enough. Rehearse the hard bits. Restore a database. Fail over a workload. Call the duty press officer on a Sunday and time how long it takes to reach them.
  • Culture of quiet. People hide mistakes. Replace blame with consequence that targets systems, not scapegoats. Reward early reporting.

Turn the code into action this week

  • Write your ten rules on one page, in words your finance team would recognise.
  • Map one control to each rule, then pick a related test you can run in the next fortnight.
  • Choose one supplier and run a light assurance check, policy, technical, and continuity. Close at least one gap you find.
  • Run a micro exercise, 45 minutes, “supplier billing platform is encrypted, accounts payable blocked”. Invite finance, comms, IT, legal. Use the code as your compass and see where it bends.

No dry ice required…

Dexter’s code worked because it was consistent, simple, and never forgot the point. Your survival code should do the same, keep people safe, keep the business legal and resilient, and keep the lights on when someone else’s nightmare spills into your week. You will know the code is alive when staff can quote it, when decisions match it without a meeting, and when a bad day becomes an ordinary recovery story rather than a Halloween special.

Written by Ellie Hurst, Commercial Director.

Share this Post

© 2025 Advent IM Limited.