The reactionary state of the industry means that we quickly identify the ‘root cause’ in terms of ‘human-error’ as an object to attribute and shift blame. Hindsight bias often confuses our personal narrative with truth, which is an objective fact that we as investigators can never fully know. The poor state of self-reflection, human factors knowledge, and the nature of resource constraints further incentivize this vicious pattern. This approach results in unnecessary and unhelpful assignment of blame, isolation of the engineers involved, and ultimately a culture of fear throughout the organization. Mistakes will always happen. Rather than failing fast and encouraging experimentation, the traditional process often discourages creativity and kills innovation. As an alternative to simply reacting to failures, the security industry has been overlooking valuable chances to further understand and nurture ‘accidents’ or ‘mistakes’ as opportunities to proactively strengthen system resilience. Expose the failures, build resilient systems, and develop an "Applied security" model to minimize the impact of failures. In this session we will cover discuss the role of ‘human-error’, root cause, and resilience engineering in our industry and how we can use new techniques such as Chaos Engineering to make a difference. Security focused Chaos Engineering proposes that the only way to understand this uncertainty is to confront it objectively by introducing controlled signals. During this session we will cover some key concepts in Safety & Resilience Engineering work based on Sydney Dekker’s 30 years of research into airline accident investigations and how new techniques such as Chaos Engineering are making a difference in improving our ability to learn from incidents proactively before they become destructive

2. SECURITY
DIFFERENTLY

3. $WHOAMI

5. WHY SECURITY
DIFFERENTLY?

6. SAFETY AND SECURITY
HAVE A LOT IN COMMON

7. SAFETY DIFFERENTLY ORIGINS
"Safety differently' is about relying on
people’s expertise, insights and the
dignity of work as actually done to
improve safety and efficiency. It is
about halting or pushing back on the
ever-expanding bureaucratization and
compliance of work."
-- Sydney Dekker

8. "SECURITY DIFFERENTLY’ IS ABOUT RELYING ON
PEOPLE’S EXPERTISE, INSIGHTS AND THE DIGNITY OF
WORK AS ACTUALLY DONE TO IMPROVE SECURITY
AND EFFICIENCY. IT IS ABOUT HALTING OR PUSHING
BACK ON THE EVER-EXPANDING BUREAUCRATIZATION
AND COMPLIANCE OF WORK."

9. SECURITY CURRENTLY VS. SECURITY DIFFERENTLY
Security Currently Security Differently
People are the Source of Problems People are the Solution
Tell them what to do Ask them what they need
(Control & Compliance) Competency & Common Sense
Count absence of Negative events Count Presence of Positives

10. FACT: NO SYSTEM IS SECURE ON ITS
OWN, IT REQUIRES HUMANS TO CREATE
IT

11. SECURITY CURRENTLY
> Are we doing the things that really matter?
> What is the best measurement of performance?
> How much are we learning from our past performance?
> How do we know when we’re doing well?

12. OUTCOMES ARE THE ULTIMATE
MEASUREMENT OF EFFECTIVENESS

14. WHY DO OUTAGES AND
BREACHES SEEM TO BE
HAPPENING MORE OFTEN?

15. FLAWED
UNDERSTANDINGOUR UNDERSTANDING OF OUR SYSTEMS

16. SYSTEM ENGINEERING IS A
MESSY AFFAIR

21. COMPLEX SYSTEMS ARE
CHALLENGING

22. COMPLEX SYSTEMS TRAITS
• Cascading Failures
• Di!cult to determine boundaries
• Difficult to Model Behavior
• Dynamic network of multiplicity
• May produce emergent phenomena
• Relationships are non-linear
• Relationships contain feedback loops

23. EXAMPLES OF COMPLEX SYSTEMS
• Global Financial Markets
• Nation-State PoliicS
• Weather Patterns
• The Human Body
• Bird Patterns
• Distributed Computing Systems (aka your systems)

24. FACT: OUTAGES &
BREACHES WILL CONTINUE
TO GET WORSE

25. UNLESS WE BEGIN
THINKING DIFFERENTLY

26. SOFTWARE HAS TAKEN
OVER EVERYTHING

28. AREAS OF POTENTIAL
IMPROVEMENT

29. ARCHITECTURE VS.
ARCHINEERING

30. "Scaffolding is never intended to be permanent"
-- Dave Snowden

31. ARCHITECTURE
PATTERNS

32. THREAT INTEL

33. ALL THE INTEL FEEDS IN THE WORLD
WON'T MEAN MUCH IF YOU DON’T HAVE
YOUR HOUSE IN ORDER

34. DECEPTION TECHNIQUES =
MORE ATTACK SURFACE
MANAGEMENT

35. AI/ML/DL/RL & QUANTUM
ENTANGLEMENT WILL NOT MAGICALLY
SOLVE YOUR PROBLEMS

36. AI DOES NOT YET EXIST,
JUST STOP

37. SECURITY
POLICIES

38. IF THE SECURITY POLICIES AREN’T
UNDERSTOOD OR CANT BE EXPLAINED
EFFECTIVELY BY SECURITY HOW ARE
ENGINEERS EXPECTED TO TRANSLATE
THEM INTO REAL-LIFE PRODUCT?

39. RISK
MANAGEMENT

40. MEASUREMENT AND MANAGEMENT OF
RISK IS FUNDAMENTALLY IN NEED OF
CHANGE

41. SOFTWARE HAS DISRUPTED OUR
TRADITIONAL AND SUBJECTIVE
METHODS OF IDENTIFYING, MEASURING
AND MANAGING SYSTEM RISKS.

42. NEW WAYS OF
THINKING

43. DEVOPS &
DEVSECOPS
IS NOW THE NEW NORM

44. SECURITY LOVES CHAOS
ENGINEERING

46. POSTMORTEMS =
PREPARATION

51. INCIDENT
RESPONSE

52. SOLUTIONS
ARCHITECTURE

53. CREATE OBJECTIVE FEEDBACK LOOPS
ABOUT SECURITY EFFECTIVENESS

54. FOCUS ON WHAT YOU
HAVE THE ABILITY TO
CONTROL

55. RESILIENCE DOESN’T MEAN
WHAT YOU THINK IT
MEANS

56. RESILIENCE !=
DR/BCP

57. Resilience is the ability of systems to prevent or adapt
to changing conditions in order to maintain control over
a system property…to ensure safety… and to avoid
failure.
-- Hollnagel, Woods, & Leveson

58. FAILURE IS THE NORMAL
CONDITION

59. HUMANS AREN’T THE
PROBLEM, THEY ARE THE
SOLUTION

60. ROOT CAUSES
DONT EXIST

61. FIELD GUIDE TO 'HUMAN-
ERROR' INVESTIGATIONS
BY SYDNEY DEKKER

62. OLD VIEW
> Human Error is a cause of trouble
> You need to find people’s mistakes, bad judgements and
inaccurate assessments
> Complex Systems are basically safe
> Unreliable, erratic humans undermine systems safety
> Make systems safer by restricting the human condition

63. NEW VIEW
> Human error is a symptom of deeper system trouble
> Instead, understand how their assessment and actions
made sense at the time - context matters
> Complex systems are basically unsafe
> Complex systems are tradeoffs between competing
goals safety vs. efficiency

64. AUTOMATION ISN’T A
MAGIC ANSWER

65. FOCUS ON WHAT
MATTERS MOST.

66. VALUE CHAINAS A SECURITY PROFESSIONAL CAN
YOU CLEARLY ARTICULATE WHERE YOU
SIT IN YOUR COMPANY’S VALUE CHAIN?

67. EVERYONE MUST
CODE

68. GOING FORWARD EVERYONE MUST
UNDERSTAND HOW TO WRITE
SOFTWARE IS A MUST

69. PYTHON IS A GOOD START, IT WAS
ORIGINALLY DESIGNED FOR CHILDREN

70. Everyone is responsible for the
engineering not just the security.

72. THANK YOU
ALLDAYDEVOPS!