The Hostage System
The cursor blinks. It’s the only thing moving. A steady, indifferent pulse in the exact center of a login box that has decided you are no longer welcome. My password, all 23 characters of it, including the requisite special symbol and the capitalized third letter from my childhood pet’s middle name, is now void. It expired at midnight, apparently. Just like the smoke detector battery did last night at 2 AM, announcing its demise not with a final, noble silence, but with an infuriatingly spaced-out chirp designed to perfectly intersect with your deepest phase of sleep. The feeling is the same: a system designed to protect you is now actively holding you hostage.
I can’t reset the password without logging in. The irony is so thick I can feel it in my teeth. I have a deadline that was due 43 minutes ago, and the architecture diagram is sitting on the desktop of a machine that considers me a stranger. The system is working perfectly. It has successfully prevented an authorized user-me-from accessing it.
Security Theater: Locking the Empty House
This is what we call security. Or, more accurately, Security Theater. It’s a grand performance designed to convince people who don’t understand the script that everything is safe. We force employees through a labyrinth of password rotations every 33 days, MFA resets, and VPN clients that conflict with every third piece of software on their machines. We do this while the corporate S3 bucket, containing 3 terabytes of customer data, is configured for public read access because someone followed a three-year-old tutorial on Stack Overflow and never looked back.
A Profound Miscalculation of Risk
This isn’t just incompetence; it’s a profound miscalculation of risk. The calculus is skewed. The organization believes the greatest threat comes from within, from the people it has already vetted, hired, and trusted with its mission. So it focuses all its defensive energy inward, creating friction and hostility for the very people trying to do their jobs. It’s a solution that looks for the problem it wants to solve, not the one that actually exists. The real threats-the misconfigured cloud services, the unpatched servers, the sophisticated phishing campaigns-are often ignored because they aren’t as visible. You can’t put “updated our firewall rules” in a quarterly report and have it land with the same performative thud as “enforced 100% compliance on password complexity for 1,233 employees.” One is actual security; the other is a line item for an audit.
Beyond Protocols: The Power of Trust
I remember talking to a man named João C. He was a hospice musician. His job was to go into the rooms of people in their final days and play music. He carried a small, worn acoustic guitar. When I asked him about his ‘process,’ his ‘onboarding’ into these intensely private and sacred spaces, he just shrugged. He said, “They know I am there to help. I don’t need a key card. I just need to be present.”
His access was granted by trust, not by a protocol. He wasn’t a threat to be managed; he was a resource to be welcomed. He understood his mission was to reduce suffering, not add procedural friction. He’d play these simple, three-chord melodies that did more to calm a room than any complex symphony ever could. His work was the antithesis of corporate security: simple, effective, and entirely based on understanding the human context.
The Fortress That Trapped Its Builder
I wish I could say I always understood this. For years, I was part of the problem. I once designed a system for a small company that required a password change every 93 days, with a 13-character minimum and a block on re-using your last 23 passwords. I was proud of it. I presented charts on compliance. I felt like I was building a fortress. Then, during a critical outage, my own policies locked me out of the very server I needed to fix the problem. I was sitting there, sweating, waiting for a password reset email that never came because the email server was, of course, on the machine that was down. I had built the perfect trap and then walked right into it.
The Absurdity Crystallized
That was the moment the absurdity crystallized. My fortress was designed to keep me out, not the enemy. But here’s the contradiction I live with: I still use a ridiculously complex, randomly generated password for my personal banking. I change it irregularly, but it’s a monster. Why? Because the theater has worked on me, too. A part of my brain, the part that gets spooked by a strange noise at night, feels safer with this absurdly long string of gibberish. I criticize the system, and yet I participate in a version of it.
Building Like João: Simple, Secure, Enabling
We need to build systems more like João’s guitar and less like my old password policy. The focus should be on elegant, robust simplicity that enables people, not obstructs them. It’s about securing the perimeter-the actual perimeter, not the imaginary one between an employee and their laptop. It means monitoring for anomalous data exfiltration from your cloud storage, not tracking if someone’s password is a day past its arbitrary expiration date. It’s about giving developers tools that are secure by default, with clear, simple authentication methods. A secure WhatsApp api that relies on a single, well-protected key is infinitely better than a system that requires three logins and a blood sample but leaves a critical port open to the world. It’s security that serves the mission, rather than becoming a mission unto itself.
High Friction, Low Security
Trust-Based, High Security
Activity vs. Achievement
We have to stop confusing activity with achievement. Running on a treadmill looks like you’re going somewhere, but you end up in the same spot. That’s what most internal security policies are: a frantic, exhausting sprint that leaves you exactly where you started, only now you’re tired and late for your deadline.
True Security is Quiet
True security is quiet, almost invisible.
It’s the wall you don’t notice, not the door that won’t open. It doesn’t chirp at you in the middle of the night. It just works, silently, so you can do the same.