← All Posts

Cybersecurity Rocks (Because Habits Do)

Nov 22, 2025 2 min read
Growth Roche

Last week I joined HackTheLab, a Roche event that brought real stories from cybersecurity experts.

Big thanks to Mario Salirrosas and the team for a day packed with learning.

I tried to make this post is a non-technical memo: what anyone (yes, anyone) can take away to keep our teams and products safer, enjoy the learning:

🔵 Fix the house, not just the hole.

Patching one leak at a time is whack-a-mole. Better is replacing the leaky bucket. In tech terms: set safety rules that block whole categories of mistakes, not just one bug.

🔵 Scoreboard beats vibes.

Like a restaurant hygiene rating, create a simple checklist across products (Do we have basic protections on? Are cookies locked down? Are old parts updated?). Scores nudge steady improvement.

🔵 Museums teach security.

Robbers don’t need lasers, just a balcony with no camera. Our “balconies” are defaults we never changed, old components we never updated, or logs we never checked.

🔵 Burglars try the front door first.

Most real incidents come from basics: weak passwords, extra keys lying around, or giving “master keys” to people who don’t need them. Limit keys. Time-box special access.

🔵 Fire drills > pretty dashboards.

Alarms you’ve never tested are Schrödinger’s alarms, maybe they work, maybe not. Practice the response. Know who does what when something rings.

You will remember this one 👇🏼

One speaker showed a museum with alarms, guards, and cameras. Everything “green” on the dashboard.

But the thieves climbed a balcony no camera watched. ⚠️

That image won’t leave me. 👆🏼

In our work, the balcony is the obvious thing we forgot: the default password no one changed, the public link nobody reviewed, the “temporary” admin access that became permanent.

When we add simple rail, like “this app only loads trusted stuff” and “no one creates new master keys without a call to the owner”, we’re not making life harder; we’re pointing a camera at the balcony.

Pick one this week:

  1. Define a red line alert. “If anyone creates a new master key, my phone buzzes.”

  2. Run a 15-minute fire drill. Simulate: “A colleague clicks a phishing link, what do we do in the first 10 minutes?”

  3. Shrink the keyring. Remove access people don’t use; time-limit special access.

I invite you to pick one habit to adopt and notice what it changes in you. For me, writing this wasn’t just about cybersecurity, it was about finding calm in knowing what I can control.

Thanks for reading ✌🏼