The Grass Is Always Grayer

• 19 June 2025
• work

A friend of mine once shared with me a saying from where he's from: "If the grass suddenly changed color, a lot of people would starve to death." It's kind of nasty in the sense that this saying is calling everyone some kind of herbivore, presumably a donkey. However, if you can get past that, the underlying message is not that everyone's a donkey. The message is something like "just because the grass changed color, it didn't stop being grass.", and you can extrapolate that to "you need to be able to look past the obvious, have some awareness, and practice critical thinking if you want to be a functional human being." Like, you gotta think about shit.

We see this happening every day as cybersecurity professionals. Practices and processes and activities that are performed not because they deliver better security outcomes, but because people assume they do. And they don't. A lot of smart people have detected this issue, and it is generally agreed that a lot of "best practices" are just bullshit. Yet, here we are. Still doing a bunch of nonsensical things just because.

Ridiculous password requirements. Five layers of authentication to reach inconsequential services. High-Medium-Low risk assessments based on absolutely nothing. Incident response tabletop exercises that don't exercise anything. Phishing campaigns that just condition people to click "report phishing" every time they receive an email. That shit's inefficient. And dumb. And annoying.

I would not be complaining about things being inefficient, and dumb, and annoying if there was no other way around it. Some processes are inefficient, and people spend their whole careers trying to extract a fraction of a percentage point more from them. This is not it. We do things that are inefficient, and dumb, and annoying even though we know how to do those things in ways that are not. We really do. When we want to, that is.

We waste an enormous amount of time, resources, brain power, bandwidth, CPU cycles, etc. just doing shit for the sake of doing shit. This is such a cliché that we literally sell a sticker that says "extremely vexed by busywork". Let me rephrase that: we have that sticker available for purchase. We don't actually sell a lot of those. Be that as it may, the never ending quest to look busy deals a lot of psychic damage. It is exhausting.

Just the other day I was tasked with creating a presentation about something that's been documented, discussed, and dissected to death and back already. If you need to know this thing, you probably already know every single thing I'm going to put in this presentation. If you don't need to know this thing, you should not be wasting your time. If you want to learn this thing just for shits and giggles, a) why?, and b) there are much better sources out there that you don't have to pay to access. I'm making a "product" that very few people need, and those who do need it already have it. So I drag my feet, deliver whatever garbage, and get thrown in a PIP.

Sure, delivering garbage is not ideal, but if you want to PIP me, you better PIP the big brain who made me spend all this time doing something that's already been done a million times just because they cannot think beyond some variation of "I've always done this." Apologies for the lack of specifics, but this is something like hiring someone who's not an engineer to help you with a project that will be handed over to an actual engineer. Anyone with a functioning brain would just look at this proposition and say "Why don't I cut the middle-man, and go straight to the actual engineer instead?" Exactly.

The lack of imagination is astounding, and that's why cybersecurity is in the state it is right now. Everyone who needs to deal with cybersecurity sighs and groans before even engaging because they just know there will be some nonsense policy or procedure or "best practice" that is for show. It's one thing to make a process more complicated for a good reason, but it's a whole other thing to throw a wrench in the works because you can't think of any other way of achieving the same outcome that's not a copy and paste of something someone else is doing. "Oh, but Google does it this way!" You're not Google, you fuck.

Cybersecurity is extremely contextual. One size does not fit all, and when it does, you might be wearing the wrong clothes for the occasion. That's why you get pissed off when the most inconsequential service on earth refuses to accept your 64 character passphrase because it's missing a special character, even though you're using a fucking Yubikey on top of that passphrase. They don't think why their password policy is what it is, and how much it actually improves the security of their user's account. They just do it because they saw someone else do it. Something about grass and color, I guess.

And a whole lot of product-based cybersecurity initiatives fail because cybersecurity is highly contextual. Generic solutions to specific problems are very likely to miss the goals. Generic risk registries you pulled from a vendor website won't help you. Generic vulnerability management processes won't work. Generic IR tabletop exercises won't do jack shit. A cybersecurity third-party risk questionnaire you stole from somewhere else is just useless paperwork. A sledgehammer can absolutely drive a small nail, it doesn't mean it's the best tool for the job. You need to think about the specific problem you're trying to solve.

There are no shortcuts here, clearly. And all we see is people looking for them. "This one thing will solve your problem!" Now you have two problems. And make no mistake: most product and solution vendors know exactly nothing about your problem, so there's no fucking way they can help you solve it. I'm old, friend. I am sick and tired of this silly game. Doing the same thing, getting the same bad results. Throwing money at a problem just to realize that the problem is still there, and all you got to show for it is a six-figure invoice. It's busywork, and that vexes me. Go buy a sticker.

The CrankySec-32x33 Industrial Complex will try and do something about it. Stay tuned, and let your bosses know that we're coming for those fucks who recycle and sell you the same stupid spreadsheet they've been using since 2003. As my business partner says: cybersecurity sucks, your vendors aren't helping. We will.

Want to know more? Want to get involved? Want to just bitch and moan? Join our Discord, will ya?

• Previous: Smart Guys