It's never simple

• 09 December 2025
• work

How do you do, friends? Hope everything is good, and the holiday season is not making you mad. Anyway, on top of working on the previously mentioned business, I've been doing some cleaning and decluttering my life, digital and otherwise. I think it's good to take some time (I can hear you LOL-ing at "take some time", and you're right) and reassess where your time, money, and energy are going. You'd be surprised.

I digress, though. Or, do I? We'll see about that.

Indeed, I do have two things to talk about, and they are kinda related. So, let's do that hockey!

First of all, I would like to address every single one of you cyber beauts, and offer some unsolicited advice:

Do not confuse posturing for knowledge. Really. It happens all the time, and it hurts everyone. Every time some dumbass 10-ply vCISO who can't tell the difference between Java and JavaScript starts yapping about React2Shell on LinkedIn, you shouldn't listen. Every time someone who makes a living shilling AI tells you AI is coming for your job, you shouldn't listen. Every time some idiot starts a sentence with "In today's evolving cybersecurity threat landscape", you should go do something else.

This shit is everywhere, and just stopping to skim through it has a mental cost. Even reading this kind of shit to make fun of it takes time. I don't think you should do it. Because there's a lot of performative nonsense out there specifically designed to grab your attention instead of informing, educating, or even entertaining you. It's a dumb circlejerk that it's really hard to escape once you're in it.

The overwhelming majority of cybersecurity issues out there are not solved by patching shit. They are not solved by capturing flags. They are not solved by waving a piece of paper you got from ISC2. The overwhelming majority of cybersecurity issues out there are extremely prosaic. The overwhelming majority of cybersecurity issues out there stem from a lack of governance, not technology or awareness. That's why I strongly believe that cybersecurity is not one thing: it's a collection of things. It's a process. It's multi-disciplinary. You have to know a lot of things to make sense of the whole, because the whole is the important thing. There are no flags to capture on most cybersecurity jobs.

On the other hand, you see a lot of really good folks going through hard times because they can't get a job in the field, despite having all the credentials and qualifications to do so. I don't really think that's by design or anything. It's just the consequence of other shit. AI ain't taking over your job: businesses just realized that absolutely nothing happens when they fuck up. And that's just due to the current regulatory systems being run by a bunch of corrupt fools. If the problems you cause are impacting everyone else but you, why would you solve these problems? If leaking your data is a daily occurrence, and no one bats an eye anymore when it happens, why invest in data protection? If you're the one being scammed by someone on the other side of the world who rented a thousand cell phone numbers, why would the telco move a finger to make it stop? They don't have to, so they don't.

And, let's be real: lot of people came to this industry with the wrong intentions, too. A lot of people thought they would land a fat paycheck by studying for a couple of weeks, sitting down for a couple of hours, and answering a couple hundred multiple choice questions. These folks are not going to be around much longer because a) they suck at it, and b) there are just too many of them for the current level of demand. Demand that is shrinking because of the above, and because of stupid people with a lot of money misallocating their resources. I mean, "misallocating" from our point of view. For them, it's being allocated just fine.

The only way to succeed in cybersecurity is to fucking learn. And to keep learning. And learn some more. And then learn something else entirely, and see if that's applicable to cybersecurity. Rinse and repeat. It never ends. Never. And it never will, LLMs or not. Human beings are extremely crafty and adaptable, and that's what the powers that be want you to forget. And human beings are the most powerful force on earth when they work towards a common goal. If, tomorrow, every single cybersecurity professional working for, I don't know, Meta, decides to do something else, there's no Meta. And, if, tomorrow, Meta decides they don't need cybersecurity professionals anymore because their AI will do that job, every single cybersecurity professional working for Meta will figure something out. You either do things on your terms, or your hand will be forced. In the grand scheme of things, we are all going on the expenses side of that balance sheet. Every dollar we make is a dollar that won't go to the shareholder, and you know who's number one.

This too shall pass, but it's going to suck for a while. What can we do, then? My only answer to this is we put our heads together, and try to figure it out. I don't want to turn Crankysec into a marketing arm of the business we're trying to run, but, that's one aspect of that. Get together, share, talk to each other, help when you can. Having a reliable group of people for a sanity check will save you a lot of heartache when you feel like panicking over React Server Components you're not even using. There's a lot of cool people out there who are more than willing to teach and learn. More than willing to help. Our discord is one place with such people, but it's not the only one. Find your crew, keep an open mind, listen to each other, and lend a helping hand whenever you can. We ain't going very far alone.

• Previous: Call us, maybe?
• Next: Molto Bene