There was a magazine. Small publication, sold at bookstores — not exactly a mainstream title you’d stumble across at the airport. It was called 2600. Named after a frequency. And if you knew what that meant, you already knew what the magazine was about.
I picked it up at a bookstore sometime in the earlier part of my career. I want to be honest with you about what happened next: I understood almost none of it.
The language was foreign. The concepts were opaque. I put it back on the shelf, thought about it for a week, went back and bought it, took it home, and read it cover to cover without retaining much of anything useful. And then I went back and bought the next one.
I wasn’t doing this because I wanted to be a hacker. I was doing it because of a belief that has driven every security decision I’ve made since: you cannot protect against what you don’t understand.
So I kept going back. And slowly, over time, the language started to make sense.
The Revelation
At some point — I couldn’t tell you exactly when — I read something that changed the way I thought about cybersecurity permanently.
It was about script kiddies.
If you’re not familiar with the term, a script kiddie was the name given to the lowest tier of hacker. Not someone with deep technical knowledge. Not the guy in the hoodie spending sixteen hours probing your defenses looking for a custom vulnerability. A script kiddie was someone — often young, often with no real understanding of what they were doing — who took a script written by an actual hacker and just ran it. The script did the work. The kid just pushed the button.
Here’s why that hit me so hard.
If scripts like that existed and were being passed around and used by people who didn’t even understand what they were doing — that meant there was enough low hanging fruit in the world to make it worthwhile. It meant a hacker could write a script that did a few simple things, over and over, and reliably find systems that hadn’t been patched, ports that hadn’t been closed, doors that had been left open because nobody thought anyone would try them.
The mental image I’d carried of a sophisticated attacker spending hours on my specific network evaporated. In its place: a 14-year-old, on mom’s recipe computer, running a script they found online, hitting paydirt because someone forgot to apply a patch.
That changed everything about how I prioritize security work. Protect against the lowest common denominator first. Apply your patches. Close the obvious ports on your firewall. Lock the front door before you start worrying about the window on the third floor. The basics, done consistently, stop an enormous percentage of attacks before they start — because an enormous percentage of attacks are being run by people who will simply move on to the next unlocked door when yours doesn’t open.
The sophisticated attacker is real. But the 14-year-old with a script is more common, and the 14-year-old with a script is also looking for exactly the things you forgot to fix.
The Word That Puts People to Sleep
Say the word “cybersecurity” in a room full of non-technical people and watch what happens. Eyes glaze. Attention drifts. Heads begin a slow journey toward chests before you’ve finished the final syllable.
I understand why. The word sounds like homework. The topic sounds like something that happens to other organizations. The training videos sound like they were written by a compliance committee and narrated by someone who has never had a conversation with an actual human being.
And yet the stakes couldn’t be higher.
A yearly cybersecurity meeting packed with genuinely useful information is completely worthless if everyone in the room is mentally somewhere else by minute four. The information didn’t land. Nothing changed. The organization is exactly as vulnerable as it was before the meeting, except now there’s a checkbox that says training was completed.
This is why I write the way I do. Breach stories. Real incidents. Things that actually happened to actual organizations, told in a way that makes you feel the weight of it — and then connects it to something you can actually do differently tomorrow. Not because I’m trying to entertain anyone, but because information that doesn’t land is not information. It’s noise.
The casino that got breached through its lobby fish tank thermometer is a story about IoT security that people remember. The Zoom executive passing call data to foreign intelligence is a story about platform trust that people remember. The 14-year-old on mom’s recipe computer is a story about patch management that people remember.
If you remember it, there’s a chance it changes how you behave. That’s the whole game.
Two Wrong Answers and What Happened
At the robot company — the one I wrote about in Time Is Brain — we didn’t have a dedicated security team. What we had was me, and the fact that our customers were in healthcare, which meant HIPAA, which meant their security teams wanted to talk to our security team.
So I became the security team.
I am not complaining. Those conversations, as uncomfortable as some of them were, made me better. These were people whose job was to find flaws, and they found them. Real ones. And the good ones — the ones worth their salaries — didn’t just flag the issue and move on. They explained it in a way that helped me understand not just the specific vulnerability, but the underlying principle I could apply across the entire infrastructure.
Eventually we decided to hire an actual security person. I was involved in the interviews. And what I discovered, talking to candidate after candidate, was that the security world seemed to have produced two schools of thought, and I didn’t agree with either of them.
The first school: every vulnerability must be fixed. Every single one, regardless of severity, location, or business impact. No exceptions. Nothing ships until the list is clean.
The second school: we just need to stay ahead of the hackers. Don’t worry too much about specifics — just keep moving faster than the threat.
What I believe is neither of those things.
I believe you fix the critical vulnerabilities and the important ones. I believe you prioritize anything public-facing, because that’s where the script kiddie and his script are going to show up first. I believe internal network vulnerabilities also matter — because users make mistakes, and occasionally users are bad actors — but I believe they get triaged against everything else rather than treated as equal to a public-facing critical.
And I believe, above all, that security exists to enable the business. Not to protect the security team from criticism. Not to demonstrate thoroughness. To enable the business to operate safely and effectively. If a security decision makes the organization less agile for minimal actual security gain, it probably shouldn’t exist.
We hired the first kind of person. The one who believed everything needed to be fixed before we could ship.
What happened was predictable in retrospect. The list never got shorter. The priorities weren’t clear. Months passed. The leadership team, facing real deadlines and real customer commitments, started quietly ignoring his guidance. And a security person whose guidance gets ignored is not a security person — they’re an overhead line item with strong opinions.
He became ineffective. Not because he was wrong that vulnerabilities needed fixing. Because he never learned that security without business context is just friction.
The Dish Under the Drip
I want to tell you about some things I have seen with my own eyes in my career. Not because I’m trying to alarm you, but because physical reality has a way of clarifying the conversation in ways that no compliance framework can.
I have walked into a hospital server room and found a UPS — an uninterruptible power supply, the device keeping critical systems running during a power outage — sitting directly under a leaking sprinkler pipe. Someone had placed a dish on top of it to catch the drips.
Someone looked at that situation and thought: dish. That’ll do it.
I have found network infrastructure — the switch and router that the entire business ran on — installed under a house. Not in a basement. Under the structure. Because it was a business and someone needed to put it somewhere.
I have found a server living in the lunch room. Not in a closet adjacent to the lunch room. In the lunch room itself. Sharing space with the microwave and whatever was left over from the birthday celebration last Friday.
I have found a server under the desk of a parking garage security guard, who was sitting directly above it with a cup of coffee.
I tell you these things not to make fun of the people who made these decisions. They made the best decisions they could with the knowledge and resources they had. I tell you these things because they are not unusual. I have seen versions of them everywhere I have worked. And they represent a category of security risk that no amount of software patching addresses — the basic physical and environmental vulnerabilities that exist because nobody ever stopped to ask whether the setup made sense.
The Bigger Picture Nobody Wants to Look At
Over a decade working in government contracting gives you a perspective that’s hard to unsee.
The regulatory frameworks — HIPAA, SOC 2, CMMC, FedRAMP — have done meaningful work pushing SaaS companies and developers to take security seriously. To protect PII. To encrypt data in transit and at rest. To build privacy and security into products rather than bolting it on afterward. That matters. People’s personal data deserves protection.
But.
The most significant threats to our collective security — the ones that don’t affect your credit score but could affect whether your tap water is safe to drink, whether the lights stay on, whether the infrastructure that modern life depends on keeps functioning — those threats are largely sitting unmitigated in quiet rooms that most people have never thought about.
Under a dam. In the back room of a water treatment plant. In a closet at a petroleum distillation facility.
Operational technology. Industrial control systems. Infrastructure that was designed and installed decades before anyone was thinking seriously about cybersecurity, that runs on software that can’t easily be patched, that controls physical processes with real-world consequences that make a data breach look minor.
The dish under the drip, scaled up to national infrastructure.
We have much work to do. The compliance frameworks are pointed largely in the right direction, but they are not pointed at the biggest targets. And the biggest targets are not abstractions — they are physical places, running aging systems, connected to networks in ways that were never designed with security in mind.
I don’t say this to be alarmist. I say it because awareness is the first step, and most people — including most people in security — aren’t thinking about this.
What I Actually Believe
Security is not a department. It’s not a compliance checkbox. It’s not the person who says no to everything, or the annual training that puts the entire staff to sleep, or the vulnerability list that never gets shorter.
Security is the practice of understanding the threat well enough to defend against it intelligently — prioritizing the things that matter, enabling the business to move, and making sure the people around you understand why any of it matters in the first place.
I believe you protect against the lowest common denominator first, because the lowest common denominator is more common than anyone wants to admit.
I believe security only works when people understand it, which means the job of communicating it is just as important as the job of implementing it.
I believe the line between security and agility is real, and finding it is the actual work — not hiding behind an endless vulnerability list and calling it thoroughness.
I believe the physical world matters as much as the digital one, and that a dish catching drips over a UPS is a security problem even though it doesn’t show up in any scan.
And I believe the biggest threats we face as a society aren’t in anyone’s compliance framework yet. Which means the people who understand them have a responsibility to keep saying so, clearly, and in terms that people can actually absorb.
It’s everywhere, and it’s what I aim to fix — at this point, with my words.
