The ballpoint pen drags across the back of a faded receipt, leaving a jagged, dying line of blue ink. I toss it toward the bin-the 15th one today that’s given up the ghost-and reach for another. There’s a pile of them on my desk, a graveyard of cheap plastic. I’m testing every single one because I have exactly 25 minutes before the next shift starts and I refuse to be caught without a working tool when I’m out on the north wall. People think graffiti removal is just about the chemicals, but it’s mostly about the preparation. If you don’t have the right pressure, or the right ink-solvent ratio, you’re just smearing the mess into the pores of the brick, making it permanent. It’s a lot like the prompt currently blinking on my monitor.
Visible compliance effort.
Actual defense layer.
‘Your password expired 5 days ago. Please create a new one.’ I stare at the cursor. This will be my 5th password change this year. I already know what it’s going to be. It will be the name of my favorite solvent, followed by the current month, an exclamation point, and a number that is one digit higher than the last one. I’ll write it on the edge of the receipt I just used to test the pens, and then I’ll tuck that receipt under the corner of my keyboard. I’m not the only one. If I walked through the main office right now and lifted 85 percent of the keyboards, I’d find a secret library of sticky notes. We are all participating in a grand, collective performance. We are all actors in a play called ‘The Secure Enterprise,’ and none of us believe in the script.
Security Theater and Literal Rot
This is security theater at its most intimate level. It’s the enforcement of highly visible, low-impact rituals that exist primarily to provide a feeling of safety, or to satisfy a compliance auditor who hasn’t actually touched a server in 15 years. We focus on the user’s password because it’s easy to measure and easy to mandate. It creates a paper trail of ‘action.’ But meanwhile, in the basement of our digital infrastructure, the literal back door is propped open with a proverbial brick.
(No password requirement from internal IPs)
I found out last week that our production database-the one holding the records for 1,255 clients-doesn’t even have a password requirement for internal IP addresses. Anyone on the local network can just… look. But god forbid I don’t change my desktop login every 35 days. There is a specific kind of exhaustion that comes from being forced to care about things that don’t matter while the things that do matter are left to rot.
The Underlying Bones
If one person’s weak password can bring down the entire network, the problem isn’t the password; it’s the network. We should be talking about zero-trust environments, network segmentation, and hardware-level encryption rather than debating whether a password should be 15 or 25 characters long.
When you work with organizations like Fourplex, you start to realize that real security is often invisible. It’s not a blinking light or a mandatory popup. It’s the way the pipes are laid. It’s the way the traffic is routed before it ever reaches the user. It’s the difference between a wall that has a ‘Keep Out’ sign and a wall that is literally impossible to climb. One relies on the cooperation of the intruder; the other relies on physics.
The artist spent $555 on the paint but zero on the finish. They relied on the ‘security’ of the neighborhood’s respect. That’s theater. That’s a vulnerability. In the digital world, we build beautiful applications and then we wrap them in a layer of ‘Please Change Your Password’ and hope for the best.
There’s a strange comfort in the ritual, though. It feels like a prayer. If we just say the right words and click the right boxes, the bad thing won’t happen. But the bad thing doesn’t care about our prayers. The bad thing is looking for the path of least resistance. If you make the front door 105 percent harder to open but leave the window unlatched, the intruder isn’t going to stand at the door and complain about your password policy. They’re just going to climb through the window while you’re busy updating your multi-factor authentication settings for the 5th time this morning.
Cynicism is the Real Threat
25 Logins
User Fatigue
Workaround Created
When we treat people as the primary line of defense, we are setting them up for failure. Humans are social creatures who like to help, who get tired, and who have to remember 25 different logins for 25 different systems that don’t talk to each other. This cynicism is the real ‘insider threat.’ A cynical employee is an employee who doesn’t report a suspicious email because they assume the IT department is just going to give them more work to do.
I think about the smell of the citrus solvent I use. It’s pleasant, almost sweet. It masks the fact that it’s eating through layers of grime and paint. Security theater is the citrus smell. It makes the environment feel clean and managed. But underneath that smell, the structural decay is still happening. We are so busy smelling the lemons that we don’t notice the building is leaning 5 degrees to the left.
It’s easier to just keep buying new pens and testing them on the backs of receipts. We have to be willing to admit that our current models of compliance are often just expensive ways to be wrong.
I finally found a pen that works. It’s a black gel ink, smooth and reliable. I use it to write my new password: ‘SolventJune!5’. I tape it to the underside of my desk, right next to the one from May. I know it’s wrong. I know it’s a vulnerability. But I have 15 walls to clean before the sun goes down, and I don’t have the energy to fight the theater today. I’ll just keep playing my part, waiting for the day the stage finally collapses under its own weight.
If we want to actually be secure, we have to stop looking at the actors and start looking at the stage. Are we building a fortress, or are we just painting a picture of one?