The document discusses the concept of "security differently", which focuses on relying on people's expertise and insights rather than a compliance-based approach to security. It argues that current security practices often view people as the problem rather than the solution. Security differently aims to halt the over-bureaucratization of security work and instead ask people what they need while focusing on competency and common sense. The document also notes that complex systems are inherently difficult to secure and that outages and breaches will continue without rethinking traditional security approaches.

2. SECURITY
DIFFERENTLY

3. $WHOAMI

5. WHY SECURITY
DIFFERENTLY?

6. SAFETY AND SECURITY
HAVE A LOT IN COMMON

7. SAFETY DIFFERENTLY ORIGINS
"Safety differently' is about relying on
people’s expertise, insights and the
dignity of work as actually done to
improve safety and efficiency. It is
about halting or pushing back on the
ever-expanding bureaucratization and
compliance of work."
-- Sydney Dekker

8. "SECURITY DIFFERENTLY’ IS ABOUT RELYING ON
PEOPLE’S EXPERTISE, INSIGHTS AND THE DIGNITY OF
WORK AS ACTUALLY DONE TO IMPROVE SECURITY
AND EFFICIENCY. IT IS ABOUT HALTING OR PUSHING
BACK ON THE EVER-EXPANDING BUREAUCRATIZATION
AND COMPLIANCE OF WORK."

9. SECURITY CURRENTLY VS. SECURITY DIFFERENTLY
Security Currently Security Differently
People are the Source of Problems People are the Solution
Tell them what to do Ask them what they need
(Control & Compliance) Competency & Common Sense
Count absence of Negative events Count Presence of Positives

10. FACT: NO SYSTEM IS SECURE ON ITS
OWN, IT REQUIRES HUMANS TO CREATE
IT

11. SECURITY CURRENTLY
> Are we doing the things that really matter?
> What is the best measurement of performance?
> How much are we learning from our past performance?
> How do we know when we’re doing well?

12. OUTCOMES ARE THE ULTIMATE
MEASUREMENT OF EFFECTIVENESS

14. WHY DO OUTAGES AND
BREACHES SEEM TO BE
HAPPENING MORE OFTEN?

15. FLAWED
UNDERSTANDINGOUR UNDERSTANDING OF OUR SYSTEMS

16. SYSTEM ENGINEERING IS A
MESSY AFFAIR

21. COMPLEX SYSTEMS ARE
CHALLENGING

22. COMPLEX SYSTEMS TRAITS
• Cascading Failures
• Di!cult to determine boundaries
• Difficult to Model Behavior
• Dynamic network of multiplicity
• May produce emergent phenomena
• Relationships are non-linear
• Relationships contain feedback loops

23. EXAMPLES OF COMPLEX SYSTEMS
• Global Financial Markets
• Nation-State PoliicS
• Weather Patterns
• The Human Body
• Bird Patterns
• Distributed Computing Systems (aka your systems)

24. FACT: OUTAGES &
BREACHES WILL CONTINUE
TO GET WORSE

25. UNLESS WE BEGIN
THINKING DIFFERENTLY

26. SOFTWARE HAS TAKEN
OVER EVERYTHING

28. AREAS OF POTENTIAL
IMPROVEMENT

29. ARCHITECTURE VS.
ARCHINEERING

30. "Scaffolding is never intended to be permanent"
-- Dave Snowden

31. ARCHITECTURE
PATTERNS

32. THREAT INTEL

33. ALL THE INTEL FEEDS IN THE WORLD
WON'T MEAN MUCH IF YOU DON’T HAVE
YOUR HOUSE IN ORDER

34. DECEPTION TECHNIQUES =
MORE ATTACK SURFACE
MANAGEMENT

35. AI/ML/DL/RL & QUANTUM
ENTANGLEMENT WILL NOT MAGICALLY
SOLVE YOUR PROBLEMS

36. ARE YOU
KIDDING ME?

37. AI DOES NOT YET EXIST,
JUST STOP

38. SECURITY
POLICIES

39. IF THE SECURITY POLICIES AREN’T
UNDERSTOOD OR CANT BE EXPLAINED
EFFECTIVELY BY SECURITY HOW ARE
ENGINEERS EXPECTED TO TRANSLATE
THEM INTO REAL-LIFE PRODUCT?

40. RISK
MANAGEMENT

41. MEASUREMENT AND MANAGEMENT OF
RISK IS FUNDAMENTALLY IN NEED OF
CHANGE

42. SOFTWARE HAS DISRUPTED OUR
TRADITIONAL AND SUBJECTIVE
METHODS OF IDENTIFYING, MEASURING
AND MANAGING SYSTEM RISKS.

43. NEW WAYS OF
THINKING

44. DEVOPS &
DEVSECOPS
IS NOW THE NEW NORM

45. SECURITY LOVES CHAOS
ENGINEERING

46. POSTMORTEMS =
PREPARATION

53. INCIDENT
RESPONSE

54. SOLUTIONS
ARCHITECTURE

55. CREATE OBJECTIVE FEEDBACK LOOPS
ABOUT SECURITY EFFECTIVENESS

56. FOCUS ON WHAT YOU
HAVE THE ABILITY TO
CONTROL

57. RESILIENCE DOESN’T MEAN
WHAT YOU THINK IT
MEANS

58. RESILIENCE !=
DR/BCP

59. Resilience is the ability of systems to prevent or adapt
to changing conditions in order to maintain control over
a system property…to ensure safety… and to avoid
failure.
-- Hollnagel, Woods, & Leveson

60. FAILURE IS THE NORMAL
CONDITION

61. HUMANS AREN’T THE
PROBLEM, THEY ARE THE
SOLUTION

62. ROOT CAUSES
DONT EXIST

63. FIELD GUIDE TO 'HUMAN-
ERROR' INVESTIGATIONS
BY SYDNEY DEKKER

64. OLD VIEW
> Human Error is a cause of trouble
> You need to find people’s mistakes, bad judgements and
inaccurate assessments
> Complex Systems are basically safe
> Unreliable, erratic humans undermine systems safety
> Make systems safer by restricting the human condition

65. NEW VIEW
> Human error is a symptom of deeper system trouble
> Instead, understand how their assessment and actions
made sense at the time - context matters
> Complex systems are basically unsafe
> Complex systems are tradeoffs between competing
goals safety vs. efficiency

66. AUTOMATION ISN’T A
MAGIC ANSWER

67. FOCUS ON WHAT
MATTERS MOST.

68. VALUE CHAINAS A SECURITY PROFESSIONAL CAN
YOU CLEARLY ARTICULATE WHERE YOU
SIT IN YOUR COMPANY’S VALUE CHAIN?

69. DOES THE COMPANY EXIST TO DELIVER
PRODUCT AND SERVICES OR EMPLOYEE
DESKTOPS?

70. EVERYONE MUST
CODE

71. GOING FORWARD EVERYONE MUST
UNDERSTAND HOW TO WRITE
SOFTWARE IS A MUST

72. PYTHON IS A GOOD START, IT WAS
ORIGINALLY DESIGNED FOR CHILDREN

73. Everyone is responsible for the
engineering not just the security.

75. THANK YOU
AUSTIN!