My father, Mikhael Kollander, was a massive polymath. Musician, inventor, contractor, songwriter. He reinvented himself nine times. But at his core he was a guitarist and a composer. Before he built houses in Los Angeles, before he became a general contractor, he was a musician. Capitol Records. The Fifth Dimension. Bobby Darin’s world tour. Session work across the LA studio circuit in the late 1960s.

One of the acts he played guitar for was Andy Williams. The “It’s the Most Wonderful Time of the Year” guy. The guy who defined American Christmas, before Mariah Carey rightfully ascended the throne. In the 1960s, The Andy Williams Show was one of the biggest variety programs on television. NBC. Prime time. Tens of millions of viewers every week.

In 1969, the show introduced a recurring character called Cookie Bear. A guy in a bear costume who walked onstage, begged for cookies, and never got any. Poor Cookie Bear. Fans loved him so much they started mailing mountains of baked goods to the actor. Meanwhile every week, Andy screamed at him: “NO COOKIES! NOT NOW, NOT EVER!” And slammed the door in his face.

If only we had that level of agency in our privacy choices today.

That same year, students at Brown University started manually sending messages to other people’s computer terminals, freezing them and demanding cookies. The idea spread to MIT, where a programmer named C.D. Tavares decided to automate it. He wrote a program for Multics, an early operating system that ran on machines that filled entire rooms. The terminals were electric typewriters. No screen. Just paper rolling through a carriage. Characters printed at about 15 per second. Chunka chunka chunk.

His program printed the word COOKIE on your terminal. Then faster: COOKIE COOKIE GIVE ME A COOKIE. The only way to make it stop was to type “cookie.” What made it particularly nasty was a trick with the operating system’s alarm timer: the program could put itself to sleep and wake back up later. When you searched for it, it wasn’t running. It was hiding. Waiting. Then it came back. He named it after Cookie Bear from The Andy Williams Show.

Not Sesame Street.

Sesame Street had barely aired its first episode. But over the decades, Sesame Street’s Cookie Monster became the cultural reference that stuck with my fellow developer and cybersecurity nerds. But it actually started with a bear costume and my dad’s guitar :)

Tavares’s program spread to every computer running that system in the world. Including a classified installation in the Pentagon. The Pentagon knew about it. They couldn’t stop it either. It was the world’s first malware.

Today, the word “cookie” still lives in computing. Different meaning, same appetite. Except now the things that want your cookies aren’t wearing bear costumes. They’re services that auction your data to advertisers in less than a second, and criminal operations that steal it at industrial scale. Both businesses. Both profiting off you. One is legal. One isn’t. Neither asked.

Imagine you’re five years old. There’s a kid at school. Not your friend. The annoying one. The one who follows you around writing everything in a little notebook. Swings: three minutes. Slide: the twisty one… twice. Apple juice (not the orange). Farted during circle time and tried to pretend it didn’t happen. All in the notebook.

Now imagine fifty of those kids. Following you everywhere. Every playground. Every day. For two years. And they all share notebooks.

And then you go to the other place. The one you don’t tell anyone about. Everyone has one. Even grown-ups. Especially grown-ups. ;)

The fifty kids follow you there too. That’s what happens when you click “Accept All Cookies.” And even when you click “Reject All,” nearly half of them keep following you anyway.

But it gets worse. The playground itself has cameras. Built into the swings. Built into the slide. Already recording before anyone asked. You agreed to them when your parents signed you up. It was in the tiny writing nobody reads. That’s what your phone apps do. Instagram. TikTok. They don’t ask about cookies. They don’t need to. The whole playground is theirs. And those cameras see everything the kids with notebooks see, plus a whole lot more.

The cookie banner on almost every website releases dozens of tracking programs the moment you click it. Behind the banner is a company called a consent management platform. OneTrust and Cookiebot are the biggest ones. They handle the banner for the website. On CNN it says “Agree.” On Delta Airlines, “I understand.” The language is vague. The machinery isn’t.

When you click, the platform generates something called a TC String under the advertising industry’s consent framework. It looks like random characters. It’s a compressed permission slip that encodes your “yes” for over 1,200 individual advertising companies, one bit per company. One click. A thousand companies you’ve never heard of now have permission to follow you around.

Within about half a second, Google places a tracking file on your device that identifies you for 400 days. Meta (the company that owns Instagram and Facebook) places one through a tracking pixel. That’s a tiny invisible image embedded in the page’s code. One pixel by one pixel. Invisible without developer tools. Meta’s pixel sits on roughly half the websites in the S&P 500 and a third of healthcare websites. These pixels start collecting before you even touch the banner.

Then an auction starts. Before the page finishes loading, an ad exchange packages your data and broadcasts it to dozens of companies bidding on the right to show you an ad. Google’s DV360, The Trade Desk, Amazon Advertising, and hundreds of smaller data brokers all receive your IP address, your GPS coordinates, what you’re reading, and your browsing history sliced into advertising labels: health conditions you’ve researched, financial stress signals, dating activity, and yes, those late-night searches you’d rather not explain to your boyfriend, wife, parents, or boss. ;) The auction completes in 40 to 120 milliseconds. Even the companies that lost the auction still received your data.

That’s what happens on a website. But the cookie banner only covers part of your day.

About 62% of all web traffic is on phones and tablets. And 88% of the time people spend on their phones is in apps, not browsers. Instagram. TikTok. YouTube. Those apps don’t show you a cookie banner. They don’t need to. Cookies are a browser technology. Apps track you through something different and worse.

Each app contains roughly 18 embedded tracking programs from third-party companies, baked directly into the app’s code. Google’s Firebase is embedded in virtually every Android app that tracks user behavior. Meta’s tracking code is in roughly 20% of iOS apps. These programs access things cookies never could: your precise GPS coordinates, your accelerometer data (how you hold and move your phone), your battery level, which other apps you have installed, your network operator. Dancing. Cooking. Pooping. “Working out.” Your phone is always in your pocket. The accelerometer data alone tells a fascinating story of your life. That’s how Instagram seems to know what you talked about at dinner. It doesn’t need to listen through your microphone. It has enough data about your behavior and your device to figure it out.

Every video you watch, how long you watch, whether you pause, how fast you scroll past. The apps are free because you’re not the customer. You’re the product. The advertisers are the customers. Your identity, your habits, your browsing patterns are what’s being sold. Not the cute cat videos you fall asleep to. And not the other videos you watch when you can’t sleep, either ;)

And when you tap a link inside Instagram or TikTok, the page doesn’t open in Safari or Chrome. It opens inside the app’s own built-in browser. In 2022, a former Google engineer turned privacy researcher named Felix Krause published what he found when he looked inside those browsers. Instagram’s browser injects Meta’s tracking script into every website you visit through it, monitoring every tap on buttons, links, and images. TikTok’s browser was worse. It subscribed to every keystroke using JavaScript commands that record every key you press. Krause called it the equivalent of installing a keylogger on third-party websites. If you’ve ever entered a credit card number, a password, or your address on a page that opened inside TikTok or Instagram, the app had the technical ability to see it and record it.

If a hacker did this, they’d go to prison. TikTok does it legally because you agreed to their Terms of Service when you installed the app. You did read those, right?

Krause caught them. But Apple provides a tool that lets apps run injected code in a way that external analysis tools can’t see. If TikTok stopped monitoring keystrokes, we’d have no way to verify it. If they didn’t stop, we’d have no way to detect it. Whether these practices continue in 2026 is unverifiable by design.

Your phone’s privacy settings? Your ad blockers? None of them work inside that built-in browser. The app controls it completely.

You might think cookies are evil and useless. But some of those tracking files do something more important and useful than following you around. They keep you logged in.

That’s why you can close your laptop, open it tomorrow, go to Gmail, and you’re already signed in. A cookie did that. +100 for convenience.

The downside is that anyone who has a copy of that file can get into your account. No password needed. No two-factor authentication challenge. The cookie is the key.

There’s a growing industry built on stealing those files from hundreds of thousands of computers at once. The tool is called an infostealer, a virus that runs silently in the background, rummaging through your browser’s cookie storage and sending everything to a server. The virus is sold as a subscription. About $200 a month. One version called Lumma infected 394,000 computers in two months. Each victim’s stolen data sells for five to twenty-five dollars on underground marketplaces. Do the math: 394,000 victims at ten dollars each is $3.9 million with minimal effort.

They buy your stolen login, load it into their browser, and they’re in. Your email. Your bank. Your browsing history. Everything.

In 2021, someone bought a stolen cookie for $10 on an underground marketplace called Genesis. That cookie belonged to an employee at Electronic Arts, the company that makes FIFA, Madden NFL, The Sims, and Star Wars games. They imported the cookie, got into EA’s internal Slack, talked their way deeper, and stole 780 gigabytes of data including the source code for FIFA 21. Ten dollars. No password. No hacking. Just a cookie.

The FBI shut down Genesis in April 2023. They called it “Operation Cookie Monster.”

The 2025 Verizon Data Breach Investigations Report found that 54% of ransomware victims (ransomware is an attack that locks your files and demands payment) had their stolen credentials sitting on underground marketplaces before the attack even hit. The cookie was already stolen. The attacker was already inside.

The system isn’t broken. It’s working exactly the way it was set up to work. Just not for you.

The confusion is deliberate. The five-click “Reject All” process, the tiny gray text, the in-app browser that ignores your settings. All designed to make you give up. So here’s how to fight back.

Five things. Most of them take less than a minute.

1. On your iPhone: Go to Settings, then Privacy & Security, then Tracking. Turn off “Allow Apps to Request to Track.” This is the single most effective privacy setting on any device. About two-thirds of people who see the prompt say no. Don’t be part of the other third. If you have a Google phone or Samsung, this setting doesn’t exist. Google doesn’t require apps to ask. So go buy yourself an iPhone. Message not sponsored by Mr. Tim Cook.

2. When you tap a link inside Instagram, TikTok, or Facebook: Don’t browse inside the app. Look for the small button that says “Open in Safari” or “Open in Browser.” Tap it every time. One tap gets you out of the app’s surveillance browser.

3. On a computer: Switch from Chrome to Firefox or Safari. Chrome is the last major browser that allows tracking by default. Google made $265 billion from advertising in 2024. Those trackers are what the advertising runs on. If you use Firefox, install a free extension called uBlock Origin. If you use Safari, install uBlock Origin Lite from the App Store. Same developer. Same idea.

4. Use passkeys when offered. When a website lets you log in with your fingerprint or face instead of a password, say yes. A passkey is a login locked to your specific device and the specific website. It can’t be stolen, guessed, or reused. About half the top 100 websites now support them.

5. Know the system. In Europe, the law requires websites to ask before tracking you. In the United States, there is no federal law that does the same thing. That banner isn’t designed to protect you. It’s designed to make you feel like you had a choice.

My dad had no idea that playing guitar for a guy in a bear costume would have anything to do with your browser history. But here we are.

Every week, same bit. The bear asks nicely for a cookie. Andy screams NO. Door slam. Audience laughs.

Fifty-seven years later, the bear won. There are thousands of them now. They don’t wear costumes. They don’t ask nicely. They sit inside your apps, your browser, your phone, quietly collecting everything. And unlike Cookie Bear, they don’t take no for an answer.

But Andy Williams understood something Silicon Valley doesn’t: sometimes the right answer to “Can I have a cookie?” is to slam the door in a bear’s face.

🖖

Sources

1. “The Andy Williams Show,” Wikipedia. Cookie Bear played by Janos Prohaska, 1969 season. https://en.wikipedia.org/wiki/The_Andy_Williams_Show

2. C.D. Tavares, “Origin of the Cookie Monster,” Multicians.org. IBM 2741 Selectric terminals at 134.5 baud. https://multicians.org/cookie.html

3. ScienceDirect (2025), “Large-scale web tracking and cookie compliance.” 43% non-compliance post-rejection. https://www.sciencedirect.com/science/article/pii/S1084804525001195

4. Infosecurity Magazine, “800% Rise in Infostealer Credential Theft.” https://www.infosecurity-magazine.com/news/staggering-800-rise-infostealer/

5. Microsoft Security Blog, “Lumma Stealer.” 394,000+ infections, 2,300 domains seized. https://www.microsoft.com/en-us/security/blog/2025/05/21/lumma-stealer-breaking-down-the-delivery-techniques-and-capabilities-of-a-prolific-infostealer/

6. Intelligence Security, “What Are Stealer Logs?” $5-$25 per log. https://intelligencesecurity.io/en/blog/what-are-stealer-logs-infostealer-malware-guide/

7. HTTP Archive Web Almanac 2025, Cookies chapter. https://almanac.httparchive.org/en/2025/cookies

8. Google, “How Google uses cookies.” https://policies.google.com/technologies/cookies

9. ACM WWW 2023, “Facebook Web Tracking.” Meta Pixel on 18.4% of websites. https://dl.acm.org/doi/fullHtml/10.1145/3543507.3583311

10. Felix Krause, “Instagram and Facebook in-app browser tracking.” Aug 2022. https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser

11. Felix Krause, “InAppBrowser.com.” Aug 2022. https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser

12. TechCrunch, “FBI seizes Genesis Market.” https://techcrunch.com/2023/04/05/fbi-genesis-market-seized-stolen-logins/

13. Adjust, “ATT opt-in rates 2025.” https://www.adjust.com/blog/att-opt-in-rates-2025/

14. IAB Europe, Transparency and Consent Framework v2.3. https://iabeurope.eu/transparency-consent-framework/

15. Mobiloud, mobile traffic 60.5%. https://www.mobiloud.com/blog/what-percentage-of-internet-traffic-is-mobile

16. Mobiloud, 88% app time. https://www.mobiloud.com/blog/mobile-apps-vs-mobile-websites

17. UPenn / Big Data & Society. ~18 SDKs per app. https://pricelab.sas.upenn.edu/events/super-sdks

18. HP Wolf Security, EA breach via Genesis Market cookie. https://threatresearch.ext.hp.com/tracing-the-rise-of-breaches-involving-session-cookie-theft/

19. Verizon 2025 DBIR. 54% pre-attack credential exposure. https://www.verizon.com/business/resources/reports/dbir/

20. Descope, “2025 FIDO Report.” 48% passkey support among top 100 sites. https://www.descope.com/blog/post/2025-fido-report

21. Alphabet Inc., Q4 2024 Earnings (SEC Form 8-K). Google advertising revenue $264.6B in fiscal year 2024. https://www.sec.gov/Archives/edgar/data/1652044/000165204425000010/googexhibit991q42024.htm

“It is difficult to get a man to understand something, when his salary depends upon his not understanding it.”

— Upton Sinclair

A doctor friend told me over dinner that a colleague she works closely with was struggling with something that was creating risk of injury for patients. She’d been quietly stepping in. Covering. Handling it, because handling it was the right thing for the patient in the moment.

What left her deeply unsettled was that every option for what to do next would punish her for trying. She could go to HR, but HR exists to manage the institution’s liability, not to help two professionals figure out a patient safety problem. She could say something directly, but the colleague’s employment structure has its own protections, and the person who reports a colleague becomes the difficult one. Now your name’s on a file. Now your next review has an asterisk that could get you fired. So she’s likely to continue covering. It’s the best she can do under the circumstances, despite the risk to the patient and to herself. The institution that pays her isn’t set up to do what all doctors literally swear to: protect patients. It’s set up to protect itself. The practitioners, and the system that pays them, have conflicting goals.

That night, I stayed up until 4am doing research.

The federal Agency for Healthcare Research and Quality has tracked hospital safety culture across thousands of U.S. hospitals for over two decades. Their finding is consistent: hospitals where staff fear blame for raising problems have measurably worse patient outcomes [1].

In one controlled trial, hospital units that trained staff to speak up about safety concerns saw adverse outcomes drop 37%. Units that didn’t saw them rise 43%. More medication errors. More hospital-acquired infections. More patients dying [1].

Not because the doctors and nurses don’t care. Because the unavoidable math my friend did at our dinner table is the same math being done in every hospital in the country. And when that math runs at institutional scale, the consequence is loss of life.

At the Carl T. Hayden VA Medical Center in Phoenix, administrators kept two sets of books. When veterans called to request primary care, their names went on unofficial paper lists held in desk drawers. Only when a slot opened within the VA’s 14-day performance target did the name get moved to the official electronic system. The facility reported average wait times of 24 days. The VA Inspector General found veterans actually waited nearly 115 days [2].

The structural motivation wasn’t complicated. Wait-time performance was tied directly to bonuses and evaluations at every level, from the schedulers entering data to the senior leaders reviewing it. The VA paid $2.8 million in bonuses to senior executives that year. Every single one of the facility’s 470 senior managers received a “fully successful” performance review. The institution had figured out what it was being measured on, and gamed it. Not for the veterans on the other end of the phone. For the metric. Investigators found 1,700 veterans at Phoenix alone who had requested care and were never placed on any official list at all. Some of them died waiting.

Thomas Breen was 71. Navy veteran. He arrived at the Phoenix VA in September 2013 with blood in his urine and a history of cancer. He was told there was a seven-month waiting list. He died of bladder cancer two months later. The VA called on December 6th to schedule his appointment. He had been dead for six days [2].

The VA kept the real wait times in desk drawers. Clean numbers went into the official system. My industry has its own version of that drawer.

Accepted Exceptions, Security Be Damned

There’s something most people in corporate cybersecurity understand and almost nobody will admit to, because it can get you fired: the job isn’t protection. The job is liability management.

Compliance checklists. Audit trails. Certification frameworks that exist so an organization can point to documentation when something goes wrong. Not so that something doesn’t go wrong. The structure is built for the aftermath. Pass the audit. Satisfy the assessor. Get the certificate on file. The calendar turns. Do it again next year.

I’ve sat through enough security audits to know how they actually work. When an assessment finds a vulnerability, the organization has a formal process for keeping it open. It’s called an exception. Someone writes a sentence in a spreadsheet explaining why the risk is acceptable. The auditor notes the exception. The assessment passes. The vulnerability remains. It’s not a flaw in the process. It is the process. Real risks, documented in obscure cells on a spreadsheet nobody outside the security team will ever read. Clean certification on the wall. Same drawer. Different filing cabinet.

Verizon’s forensic team has been analyzing breach investigations for over a decade. The pattern they’ve found is worth sitting with: they have never once identified a breached company that was fully compliant at the time it was hit [3]. Not once.

Equifax held ISO 27001 certification, the international gold standard for information security management. Companies spend months preparing for that audit. EY, one of the Big Four accounting firms, signed off on it. Equifax also held two additional security certifications. Three of the most rigorous in the industry, all active, all current. Meanwhile, a known vulnerability in their web application software had a patch available. Nobody applied it for two months. Nobody’s bonus depended on applying it. Someone’s depended on passing the audit.

Attackers operated inside Equifax’s systems for 78 days without being detected. An expired security certificate had knocked their network monitoring tools offline for 19 months. The tools that would have caught the intrusion weren’t running. 147.9 million Americans had their Social Security numbers exposed. The House Oversight Committee called the breach “entirely preventable.” The Canadian Privacy Commissioner was more direct: it was “not reasonable,” the Commissioner wrote, to rely on the certification “as assurance of adequate security” when the company’s own internal tests had already identified the problems [4].

This pattern goes back at least to 2013, when Target was certified compliant on the payment industry’s own security standard two months before a breach that cost $200 million and ended the CEO’s career [5]. It’s still happening: in 2024, Change Healthcare, the company that processes roughly half of all medical claims in the United States, was breached through a login screen that didn’t require a second verification step beyond a password. $2.457 billion in damages so far. 192.7 million people affected [6].

My friend’s hospital, the VA, Equifax, Target, Change Healthcare. Different industries. Different stakes. Same structure. The institution claims to do one thing. It’s set up to reward another. The people it’s supposed to serve don’t know to ask which is which. And the people inside who do know have done the math on what happens if they speak up.

What Happens When the CEO Admits the Pizza Tastes Like Sh*t

Domino’s Pizza, late 2009. Stock at $2.83 a share. Same-store sales down nearly 5%, seven times worse than the industry average. In consumer taste tests, tied for dead last with Chuck E. Cheese. The company claimed to make good pizza. It was set up to deliver the cheapest possible ingredients as fast as possible. Every customer knew it. The company knew every customer knew it [7].

What happened next is still one of the strangest things a public company has ever done. Domino’s took its own internal focus group footage, customers calling the pizza “cardboard” and “the worst I ever had,” and aired it on national television. CEO Patrick Doyle didn’t spin it. He said the product was bad. Then the company reformulated the entire recipe from scratch, changed every ingredient, and retrained 180,000 employees across 9,000 franchise locations [7].

Revenue jumped 14.3% the next quarter. The stock rose 130% in 12 months. Domino’s eventually overtook Pizza Hut to become the largest pizza chain in the world. By 2018, David Chang was featuring Domino’s on his Netflix show Ugly Delicious and telling Stephen Colbert it was great pizza. A two-Michelin-star chef, ordering Domino’s on camera. The stock didn’t rise because the CEO was brave. It rose because he closed the gap between what the company claimed and what it was actually set up to do [7].

To be fair, there’s a version of this story that goes the other direction. Everlane, the clothing company, trademarked the phrase “Radical Transparency” and published cost breakdowns on every product. Growth was extraordinary. The company raised money at a $250 million valuation, positioning itself as a future billion-dollar brand. But the transparency was only on the price tags. Underneath, the company was set up for the same things every fashion brand is set up for: low labor costs, fast growth, maximum margins. When employees tried to unionize in 2020, the gap became visible. Leadership discouraged the union, claiming it would “reduce transparency.” Former employees published a seven-page manifesto documenting racial discrimination. The New York Times headline: “Everlane’s Promise of ‘Radical Transparency’ Unravels.” The company took on debt to cover inventory, cycled through CEOs, and by 2024 revenue had slid to a fraction of expectations and was still shrinking [8]. The union didn’t cause the decline. The decline happened because the brand’s promise and the company’s actual priorities were never aligned. You can’t slap a transparent label on top of business as usual and expect it to hold.

The Most Transparent Industry Nobody Trusts

The day after dinner, I went on a dog walk with my cousin. He’s a property and casualty insurance producer. He’d been listening to me go on about all of this, and he said something like: “I mean, at least in my line of work, it’s all spelled out clearly. Here’s what’s covered. Here’s what isn’t. Here’s the number. You signed it.”

Then he dared me to go read my own homeowners policy.

I pulled it up on my phone that night, sitting on the couch with the dog asleep on my feet.

Everything covered was listed. Everything excluded was listed. The dollar limits were explicit. The conditions under which a claim pays out were written down. Just a contract that said exactly what it would do, what it wouldn’t, and what it would cost.

The policy I’d been ignoring for three years was more readable than the terms I’d agreed to that morning to update an app on my phone. That’s not a figure of speech. When researchers tested readability across 17 different types of consumer contracts, auto insurance policies scored at a 9th-grade reading level. The most readable of any category. Credit card agreements hit 12th grade. Tech terms of service required a college education [9].

Insurance got this way because nobody trusts it. Accenture surveyed 49,000 consumers across 33 countries in 2023. Only 39% believe insurance companies have their best interests at heart [10]. That deep, persistent distrust is exactly what produced fifty years of regulation requiring clarity. Of 776 plain-language laws in the United States, 209 of them, 42%, govern insurance documents. Banking has 41. Healthcare has 23 [11]. Lawmakers looked at the insurance industry and said: we don’t trust you to be clear on your own, so we’re going to make you.

The industry fought it. Industry representatives warned regulators that changing readability standards would lead to “unintended consequences” and “new litigation.” For decades, insurers resisted every layer of consumer protection regulation that was imposed on them. And then the most regulated consumer-facing industry in the country became one of the most stable and consistently profitable.

We trust our doctors. We trust “the IT guy.” Whether someone is in cybersecurity, networking, software engineering, or desktop support, they’re all “the IT guy” to most people, and we assume they’ve got it handled. That trust is what allows medicine and cybersecurity to stay opaque. Nobody’s demanding that hospital safety reports be written at a ninth-grade reading level. Nobody’s asking to read the exceptions spreadsheet from the last security audit. We just trust that the specialists are doing what they say they’re doing.

The least trusted industry produced the most transparent document. The most trusted institutions hide the truth in desk drawers and spreadsheet exceptions.

There’s a complication, though. Trusted Choice found that 86% of homeowners say they feel confident they understand their coverage. When actually tested on basic questions about their own policy, only 29% passed [12].

The transparency is in the document. It always has been. It’s sitting in your email or your filing cabinet right now. It says exactly what will and won’t happen if your house floods, your roof caves in, your kitchen catches fire. But nobody sat down with you and walked you through it. The agent who sold you the policy earned a commission when you signed. After that, the incentive to make sure you actually understood what you bought disappeared.

Domino’s didn’t just admit the pizza was bad. They changed everything about how the company operated and made the honesty impossible to miss. The insurance industry was forced into writing the clearest consumer contract in America, and it became one of the most stable and profitable industries in the country. But the clarity stops at the document. Nobody, to my knowledge, has bothered to close that last gap.

The Question

People treat medicine, cybersecurity, and insurance like dark arts. Best left to the specialists. “The IT guy has it handled.” I’ve been the IT guy for twenty years. None of these fields are actually dark arts. They all dissolve into logic once you understand them. The VA’s wait-time system is a bonus structure. A security certification is a spreadsheet full of accepted exceptions. An insurance policy is a contract written at a ninth-grade reading level that says exactly what it will and won’t do.

The difference isn’t complexity. It’s incentive. The fields that stay opaque do so because it’s useful. Nobody questions the system when they assume only the specialists can understand it. The one industry that got forced into clarity got there because nobody trusted it enough to leave it alone.

If you run a team, a department, a company: what does your last performance review actually reward? If someone on your team saw a problem tomorrow and did the math on what happens if they name it, would they say something? Or would they do what my friend did at dinner: care about three things at once and stay quiet?

🖖

Sources

[1] Agency for Healthcare Research and Quality, Hospital Survey on Patient Safety Culture. AHRQ has administered this survey across thousands of U.S. hospitals since the early 2000s, tracking whether staff feel they’ll face blame for reporting errors or near misses. Hospitals with punitive cultures consistently show lower near-miss reporting rates, which the research associates with worse patient outcomes over time. The controlled trial finding (37% decrease in adverse outcomes in trained units vs. 43% increase in controls) is from Weaver et al. (Annals of Internal Medicine, 2013), a systematic review commissioned by AHRQ that included 33 studies; the specific trial was a cluster-randomized controlled study showing team training’s impact on adverse outcome scores. The association between punitive cultures and increased medication errors, hospital-acquired infections, and mortality is documented across multiple systematic reviews: Braithwaite et al. (BMJ Open, 2017) reviewed 62 studies and found 74% reported positive associations between safety culture and patient outcomes including reduced mortality, infections, and medication errors; Vikan et al. (BMC Health Services Research, 2023) found 76% of 34 studies showed reduced adverse events where safety culture scores were higher. AHRQ is a federal agency inside the U.S. Department of Health and Human Services. Not commercially sponsored. AHRQ Hospital Survey.

[2] VA Office of Inspector General, Interim Report (No. 14-02603-178, May 28, 2014) and Final Report (No. 14-02603-267, August 26, 2014). The Phoenix investigation found the dual record-keeping system, the 115-day actual wait time versus 24-day reported time, and 1,700 veterans never placed on official lists. Thomas Breen’s case is documented in the OIG report and corroborated by House Committee on Veterans’ Affairs hearing testimony (September 17, 2014). The $2.8 million in senior executive bonuses and the 470 senior managers receiving “fully successful” ratings are from Rep. Jeff Miller’s statement at the House Committee on Veterans’ Affairs (June 2014) and confirmed by CNN reporting. The VA’s own audit concluded that “some front-line, middle, and senior managers felt compelled to manipulate” records to meet performance goals. Schedulers were told by supervisors to “fix” appointments exceeding the 14-day target. Sharon Helman, the Phoenix VA director, received an $8,500 bonus that was later rescinded. A VA nationwide access audit (June 9, 2014) found 70% of VA facilities used unofficial wait lists. An important caveat on causation: the OIG used a standard requiring investigators to “conclusively assert” that delay caused death rather than underlying disease. Medical experts called this threshold “virtually impossible to meet.” The finding is that veterans died while waiting for care they never received, not that delayed care was the sole cause of death in every case. VA OIG Reports.

[3] Verizon Payment Security Report, 2024. Verizon’s Qualified Security Assessor practice has analyzed PCI DSS compliance data across breach investigations for over ten years. The finding that no breached company was fully compliant at the time of breach has held across every edition. Former Visa Chief Enterprise Risk Officer Ellen Richey corroborated this independently in 2018. One important nuance: this means breached companies had drifted out of compliance by the time they were hit, not that compliance itself is useless. The annual-audit-and-drift pattern is the core observation. Verizon sells compliance assessment services, which is worth knowing. Verizon Payment Security Report.

[4] House Committee on Oversight and Government Reform, “The Equifax Data Breach” (December 2018, 96 pages). The “entirely preventable” finding is the Committee’s headline conclusion. The Canadian Privacy Commissioner’s finding is from PIPEDA Report of Findings 2019-001, which explicitly states that reliance on ISO 27001 certification was “not reasonable” given that the company’s own penetration tests had identified noncompliant practices. Equifax issued a statement disagreeing with “many of the factual findings” in the House report. The 300 expired certificates, including 79 on business-critical domains, is from the House report. The $575-700 million FTC/CFPB/state settlement was reached in July 2019, with total breach costs estimated around $1.38 billion. House Oversight Equifax Report. Canadian Privacy Commissioner Finding.

[5] Senate Committee on Commerce, Science, and Transportation, “A ‘Kill Chain’ Analysis of the 2013 Target Data Breach” (March 26, 2014). Target CFO John Mulligan confirmed the PCI DSS certification timeline in testimony before both the Senate Judiciary Committee (February 4, 2014) and Senate Commerce Committee (March 26, 2014). The $200 million figure is from Target’s SEC filings, which also include an $18.5 million multistate attorney general settlement (May 2017). Trustwave, the assessor, disputed the scope of its engagement. The finding here is structural: the certification framework failed to catch the vulnerability that was actually exploited. Senate Kill Chain Report.

[6] Change Healthcare breach, 2024-2025. Change Healthcare (a UnitedHealth Group subsidiary) disclosed the breach in February 2024. The attack was attributed to the ALPHV/BlackCat ransomware group. HITRUST certification status was reported by multiple cybersecurity outlets. The $2.457 billion cost through Q3 2024 is from UnitedHealth Group’s SEC filings (quarterly earnings reports). The $22 million ransom payment was confirmed by UnitedHealth CEO Andrew Witty in April 2024. The 192.7 million affected individuals figure comes from Change Healthcare’s notification to HHS Office for Civil Rights. The $6 billion in advance funding to healthcare providers is from UnitedHealth Group’s disclosures. Change Healthcare’s role in processing approximately half of U.S. medical claims is from the Congressional Research Service. CRS Report IN12330. UnitedHealth Group SEC Filings.

[7] Domino’s Pizza turnaround: all financial figures from Domino’s SEC filings. Stock price of $2.83 and same-store sales decline from Q4 2009 10-Q. The dead-last tie with Chuck E. Cheese in taste tests is from a 2009 consumer survey widely reported at the time, including in the company’s own turnaround documentary. The “Pizza Turnaround” campaign launched in December 2009 with a four-minute documentary posted to YouTube showing real focus group footage and CEO Patrick Doyle’s response. Revenue increase of 14.3% from 2010 annual report. The 130% stock rise within 12 months is calculated from market data. The 180,000 employees and 9,000 franchise locations are from Domino’s corporate disclosures at the time. Domino’s overtaking Pizza Hut is from industry reporting (QSR Magazine, Nation’s Restaurant News). David Chang’s Domino’s advocacy appeared in the first episode of Ugly Delicious (Netflix, 2018). He told Stephen Colbert on The Late Show (May 2018) that he grew up eating Domino’s and his taste hasn’t changed. Chang holds two Michelin stars through his Momofuku restaurant group. Domino’s SEC Filings. Pizza Turnaround Documentary on YouTube.

[8] Everlane: the $250 million valuation and billion-dollar brand trajectory are from Business of Fashion reporting. The unionization timeline, HR emails discouraging organizing, and employee manifesto were reported by The New York Times (“Everlane’s Promise of ‘Radical Transparency’ Unravels,” 2020), Vice, and Fast Company. CEO Michael Preysman acknowledged to Business of Fashion: “The brand externally had such a lofty ambition and we didn’t live up to it internally.” The company took on debt to cover inventory in 2022 (Business of Fashion, February 2024). Revenue decline and continued contraction reported by Business of Fashion (July 2025), citing a person with direct knowledge. NYT: Everlane’s Radical Transparency Unravels (may require subscription). Business of Fashion Everlane Coverage (may require subscription).

[9] MoneyGeek readability analysis, approximately 2022-2023 (original article no longer available at moneygeek.com; methodology and findings corroborated by syndicated coverage and consistent with Benoliel and Becher's independent findings). Tested 17 contract types across financial services and technology using eight readability algorithms. Auto insurance scored 9.80 grade level (most readable); credit cards 10.10; health benefits summaries 10.75; tech terms of service 12.02. MoneyGeek is a commercially sponsored insurance comparison site, which is worth noting. However, the findings align with independent academic research: Benoliel and Becher (Boston College Law Review, 2019) tested 500 major website contracts and found 498 of 500 required 14+ years of education to read. Insurance, particularly auto and property, sits meaningfully below these benchmarks. Health and life insurance score worse (grade 11-13 range), which is an honest limitation of the broader claim. Benoliel & Becher, Boston College Law Review.

[10] Accenture Global Insurance Consumer Study 2023, “People Before Policies.” Survey of 49,000 consumers across 33 global markets. The trust figure has been declining: confidence in insurers’ data stewardship dropped from 40% in 2019 to 32% in 2021. Accenture consults for insurers and has a commercial interest in findings that recommend transformation. The scale of the study and the consistency of the trend across two survey cycles make it credible even accounting for that. Accenture Insurance Consumer Study.

[11] Blasie, Michael. United States Plain Language Laws. Published in the University of Miami Law Review (2022) and expanded as a Wolters Kluwer reference (2023). First nationwide empirical survey of plain-language laws, using systematic Westlaw searches across all 50 states, DC, and federal law. Identified 776 total laws; 209 (42%) govern insurance documents. Funded by the Association of Legal Writing Directors. Not commercially sponsored. Industry resistance to readability regulation: David Snyder, VP and associate general counsel for the American Insurance Association, urged regulators to “tread carefully” and warned that changes “could lead to unintended consequences such as igniting new litigation” (InsuranceNewsNet, reporting on NAIC Consumer Connections Working Group testimony). The broader history of industry resistance to consumer protection regulation is documented in the Congressional Research Service report on insurance regulation (R44046), which describes “the largely united industry resistance to federal intervention in insurance” across multiple decades. Blasie, University of Miami Law Review. InsuranceNewsNet NAIC Readability Coverage. CRS Insurance Regulation Report R44046.

[12] Trusted Choice / Big “I” homeowners insurance awareness survey, June 2024. 400 consumers surveyed via Mfour Data Research. 86% claimed “strong understanding” of their policies. When tested: 56% didn’t know standard homeowners policies exclude floods, 70% didn’t know renovation materials aren’t covered. Only 29% passed. Trusted Choice is the consumer brand of the Independent Insurance Agents and Brokers of America, the trade association for independent agents. Their interest in findings that demonstrate the need for agents is obvious. A Guardian Service survey (2025, 2,000 homeowners via Pollfish) found a nearly identical pattern: 85% confident, 31% failed entirely. Kaiser Family Foundation (2023, independent and nonprofit) found 65% of insured adults with denied claims reported difficulty understanding what their coverage covers. Trusted Choice. KFF Consumer Experience Data.

I’ve spent twenty years in tech, building internet backbones, real-time voice and video, cybersecurity, and product leadership. For the bulk of that time, I assumed there were two career paths available to an MBAless nerd such as myself. Stay at a big company and collect a paycheck. Or go start something from scratch, raise money, get acquired, maybe get rich… or maybe go bankrupt. Those were the options. Everyone around me seemed to agree.

We had confirmation bias baked in. If you work at a large company, you watch acquisitions come in the door. Startups get bought. Founders cash out. And you sit there thinking: that’s the move. I should be on the other side of that deal. Build something, sell it, rinse, repeat.

The numbers on that dream are not great. About half of all new businesses fail within five years, according to the Bureau of Labor Statistics. For venture-backed startups, it’s worse: three out of four never return a dollar to investors1. You don’t hear those stats at tech happy hours. You only hear the drumbeat of the survivors.

While I was absorbing all of this as gospel, something completely different was happening in my own family.

Christine

My sister Christine was managing the books at a small ecommerce company. Good business, profitable, been around for years. Then the owner decided to retire. He was part of an enormous wave that’s still barely begun. McKinsey published a report last week saying six million small businesses will need new owners by 2035, collectively worth up to five trillion dollars. And right now, 92% of small business exits end in the owner just... shutting it down2. Locking the door. Employees lose their jobs, the owner walks away with nothing after decades of work, and some buyer out there never even knew the opportunity existed3. Not because anything was wrong with the business. Nobody showed up.

So a family-run company bought Christine’s employer. Not a PE fund. Not a VC-backed roll-up. A family that buys and operates small businesses: service franchises, ecommerce, that kind of thing. Quiet, extremely profitable, putting all of their kids through school and beyond. Nobody’s ever heard of them.

Christine figured she’d be lucky to keep her job. She’d seen what happens in acquisitions. Most of us have.

The buyers told her later they’d originally planned to let her go. Then they met her. They figured out who was actually making things work. And instead of cutting her, they handed her more responsibility than she’d ever had. Running finance across the organization. Managing the business she’d built from the inside. Handling purchasing across every brand in the portfolio.

She went from “they were going to let me go” to being the person they can’t run without.

The part of the value nobody calculates

Here’s what stuck with me. A huge part of the value of that acquisition was Christine herself. She wasn’t a line item. There was no row on the spreadsheet that said “exceptional operations person who will run your entire finance function for the next decade.” But that’s what they got. That’s the part of the value nobody calculates.

I’ve watched a few acquisitions up close in my own career. The pattern holds in tech. The ones where the acquiring company invested in the people, learned who they were, figured out where they fit, gave them a reason to stay? Those became the most profitable parts of the portfolio. The ones where they bought the technology and didn’t have a plan for the humans? Everyone walked. Growth collapsed. Hundreds of millions in value evaporated. Not because the product was bad. Because the people left.

The third path

My sister didn’t start a company. She didn’t pitch investors. She didn’t grind through a 90-hour-week accelerator program. Neither did the family that employs her. They just bought businesses that already worked and made them better. Starting with the people inside them.

I used to think that was boring. Now I think it might be the smartest thing nobody in my world is paying attention to.

I’ve been reading everything I can find on this. Talking to people. Going down a bunch of wormholes in my free time. I don’t know exactly where they lead yet, but I haven’t been this curious about anything in a long time.

🖖

Hey friends, it’s Women’s History Month, and instead of talking about what I’m building, I want to spotlight some of the brilliant women I get to work with.

At HPE Aruba, I work with incredible teams, especially at Axis Security and Silver Peak. I’ve learned so much from the women around me who are already building the future.

🏆 Yaara Hirsh — Head of Product Design, Axis Security Built an intuitive cloud UI for security admins and mentored her team to collaborate across functions. She taught me the value of a scalable design system.

🏆 Adi Avigdori — Product Designer, Axis Security Elevated our platform’s usability and made the experience more human. She taught me how subtle, thoughtful changes can massively impact engagement.

🏆 Liat Menashe — Product Leader, Axis Security Built a product discovery process and launched our SSE dashboard — one of our most-used features. She taught me that treating your dev leads as respected partners leads to faster and better execution for customers.

🏆 Shwetha Venkatesh — Engineering Leader, Silver Peak Built the API orchestration behind EdgeConnect SD-WAN’s cloud integrations that scalably support hundreds of thousands of business locations. She taught me that giving your devs the space to develop creative solutions is the key to solving complex problems.

🏆 Laura Neacșu — Principal Product Manager, HPE Aruba Helped build a scalable orchestration engine and co-created a routing protocol used by millions. She taught me that staying close to your customers is the secret to delivering solutions that users love.

Here’s what I’ve learned: the best product decisions come from teams that reflect more perspectives, not fewer.

If someone from an underrepresented background has inspired your work, tag them wherever you can. Shout them out. Let’s make the invisible work visible. 🚀

💻 find me: website · linkedin

Cybersecurity is full of serious tools that are seriously hard to use. When something breaks, it’s usually not the tech: it’s the config. When it’s hard to understand, people get it wrong, and that’s how security fails.

Axis did it differently. One policy UI. Simple. Clean. Beautiful, even. Not just because they cared about aesthetics, but because beauty and clarity make security better. When things are simple, people get them right. That kind of clarity only happens when design leads, not follows.

One of our designers keeps toys on her desk and a book on the art of toys. Not just for fun, but because play sharpens perception, and perception shapes how we build. 🧸

The original team did what no one else had: combined private app, internet, and SaaS security into one unified policy UI. Now others are trying to catch up.

Our earliest data centers? Named after video game characters. We bought toys for them too. Not a gimmick. Just another way to signal joy. And joy, weirdly enough, builds better tools. 🕹️

That’s why HPE bought us for $500 million. They saw value in a different kind of culture. Now the team is growing, the product’s evolving. And I want us to keep building with that same spark.

I didn’t build this from day one. But I saw what made it different and I stayed to protect that. I almost left when the founders left. Big company politics aren’t really my thing…but I stayed because this product came from a design culture that valued beauty and function equally, and that’s still rare and valuable. That’s what I’m here to protect.

Last time I was in Tel Aviv, I left toys around the office: bouncy balls, blinky dinosaurs. Not for nostalgia, but to remind the team and myself that the Axis spirit is still here. 🦕

Great security starts with great design, and sometimes it’s the tiny dinosaur that gets it right.

💻 find me: website · linkedin

My socks don’t match.

No, this isn’t a metaphor. I literally walked out the door wearing a green sock and a blue sock.

They were on perfectly straight, though.

Had to make sure the seams wouldn’t rub my toes the wrong way.

Because I’m Autistic. And I’m ADHD.

Yes, you can be both.

Which means I’ll obsess over texture alignment…

and completely miss the color mismatch because I’m still mentally reverse-engineering how diffraction gratings in AR glasses work, like teeny tiny, super precise combs trying to part light beams at just the right angles.

(If someone from Apple or Meta reads this, please call me out if that’s a craptacular analogy.)

(Also, it’s really cool stuff! You should check it out.)

Anyways…

That’s one small, mildly ridiculous example of how Autism and ADHD can show up in daily life. Not always in the ways people expect.

It might look like fidgeting with your pen or pacing around the room during a meeting to stay grounded.

Or finishing your Autism Awareness Month post a day late, while you’re on vacation.

Or needing quiet time before jumping into collaboration, because your high-octane brain won’t engage until your coolant levels are sufficient.

Or reworking the requirements for a new identity context API because the schema feels like it’s stitched together with dental floss and toothpicks.

Sure, it doesn’t look tidy.

But pattern recognition rarely is.

The DSM calls that a disorder.

But what it really describes is a brain that makes people uncomfortable, especially when it questions what they call “normal.”

Autism and ADHD aren’t modern problems.

They’re ancient neurotypes.

We’ve always been part of humanity:

the fire tenders, toolmakers, trackers, scouts.

The ones who noticed what others missed.

The ones who saw the break coming and acted before anyone else could blink.

Today we’re engineers, architects, founders, VPs, and so much more.

Not despite how our brains work, but because of it.

The world doesn’t need perfect socks.

It needs men and women with honest brains, clear intent, and curious hearts.

That’s how you define leadership, no matter what socks you’re wearing.

💻 find me: website · linkedin

Here for a 🏳️‍🌈 wedding, family, and maybe a few new beginnings.

Herbs, eggs, coffee.

No music. No narration. Just (mostly) quiet sound.

I cooked simple food and cleaned as I went, a ritual I picked up from my dad on job sites. 👷🏻🛠️

I think a lot about him when I’m here. The people, the food, the music…it all reminds me of the best parts of him.

At 11 am, the air sirens sounded for Yom HaZikaron (Memorial Day).

Everything paused.

This was the quiet before that moment. 💙

💻 find me: website · linkedin

“Stay curious. Failure is inevitable. But we can improve our personal reaction to it.”

That note came out of an exercise on failing well. Intentionally, intelligently, and without shame. I’ve been turning it over in my head ever since. Not because it’s a clever soundbite, but because it cuts to the core of what leadership needs now.

I’ve spent the last two decades in tech. From networks to cybersecurity to increasingly abstract things like “AI” and “platform strategy.” Failure has always been part of the job, but lately, we’re swimming in it.

The stakes are high. The systems are bigger. The speed of change is off the charts. In that kind of environment, failure isn’t a detour, it’s the road.

And yet most teams (and most orgs) are still terrified of it. That fear shows its face as endless compliance theater, backchanneling, micro-management, or just plain silence. We pretend we’re fine. We fake alignment. And we wonder why our products fall flat.

So here’s the idea that stuck:

It’s not about avoiding failure. It’s about designing your response to it.

Amy Edmondson calls this intelligent failure: the kind you plan for, learn from, and emerge smarter because of. Marty Cagan (paraphrasing here) says that the real job of leadership is creating an environment where empowered teams can take smart risks. I’d add that only works if the culture gives people space to react to failure with curiosity instead of panic.

A Few Takeaways I’m Carrying Forward:

• 🔍 Measure outcomes, not output. What are you learning if you can’t connect your work to meaningful change?

• 🔁 Ritualize your learning. Make “What did we learn?” a habit that drives progress, not a post-mortem.

• 🧭 Know who’s helping you move toward the work that matters to you and your team.

• 🧠 Curiosity over control. Especially when things get messy.

These takeaways aren’t just about product teams. They’re about how we lead, build trust, and stay human in environments that constantly ask us to optimize, ship, and smile through the mess.

I don’t have it all figured out. But I do know I want to keep building with people willing to fail out loud, and get better, together.

If you’ve got a failure ritual that’s actually worked for your team, I’d love to hear it.