Imperfect Security: Doing Less to Achieve Better Security

for our next session we have Kevin who will be talking about imperfect security Kevin over to you hello everybody I am not talking about impr prefect security but figured this would be an appropriate first slide uh today I'm going to be talking about that but also we'll talk about or introduce myself um establish a little bit of a baseline of what I think perfect security might actually look like if it was possible um if you can't tell I don't believe that it's possible uh talk a little bit about what I think imperfect security is and how to achieve that and then what it looks like in action then leave you with some things to take back to your companies your

homes maybe I don't know this doesn't only apply to security I think you'll find that pretty quick that a lot of this is applicable in other places as well uh but first things first my name is Kevin Hanford I lead trust engineering at Discord uh which is a great Engineering Group that consists of security privacy safety and platform engineering folks uh pays the day job you're welcome for that Alex um that's the day job pays the bills uh but largely outside of my day job I'm not very technical person primarily a musician I'm an elder emo you can come talk to me about that time I played with your favorite warp T band if you'd like

I ski a lot and spend a lot of time Outdoors do a lot of camping uh getting out kind of in the woods Etc actually live in the woods it's pretty cool uh Pacific northwesterner I'm an escape E from Alaska uh then to Seattle down to California for a brief moment in time and then back up to uh just outside of Seattle but for people who don't live here it's Seattle so first question is what is perfect security uh in this world where we're going to pretend like perfect security is actually possible uh it might look something like this you're going to have a company or a group of people or code that has no

vulnerabilities uh not even a single one uh all of your employees will know how to avoid all of the fishing every single one uh they will never fall for anything you're you'll spend a lot of money on fishing tests that will not be worth it uh your permissions will be at least privileged they'll be role based they'll be attribute based whatever it is you're looking for uh and they will work and they'll be consistent everywhere um you'll actually have a staging environment this one bullet point could probably defeat the whole idea of perfect security um and it mirrors production there's no testing in production you don't do any of that uh you'll have a DLP that actually works uh

as advertised and then Chrome is always up to date this is another one that could probably defeat the whole entire bullet point by itself cuz this is never ever ever the case but if you could figure out how to do this your security team is probably very very rich or what's more likely very unemployed because you don't need them anymore so but Kevin isn't perfect the enemy of good like yes of course it is every single person in this theater has said this at least once if you're a manager you said it at least a 100 times um but there's a reason why we say this this is consistent across a whole bunch of different Industries um and it stems

largely from the experience that perfect takes a lot of energy and is often times not worth it and good can be good enough so let's talk about where this originates uh the Paro principle or what's more commonly referred to as 8020 is kind of where this came from or where at least became popular back in the early 1900s uh pero himself noticed that 80% of the land in Italy was owned by 20% of the population over the next couple of decades we found that this principle actually applies in a variety of different places we found that it's the case in manufacturing um we've seen evidence of this in software engineering more recently we have seen this in real

estate which is kind of similar to the first first principle but uh the idea here is that 20% of your efforts accounts for 80% of the results very often a couple of caveats on this it's not always 20% of the effort and it's not always 80% of the results and it doesn't have to add up to 100% you can have 90% of your results come from 40% of your efforts so it's not quite uh perfect but it's a sort of a good principle for this notably Steve Balmer and his followup to the trustworthy Computing memo back in 2002 uh outlined that 20% of all bugs caused 80% of all errors um so we see this in software

engineering you know as recently as 20 years ago uh to kind of articulate this sort of imbalance even further he not additionally noted that 1% of bugs cause half of all errors right this is a big sort of followup this is when Microsoft was actually this is kind of a good timing talking about this because they just issued like trustworthy Computing round two I'm sure there's something similar in there another more tongue and- cheek kind of version of this is the 990 rule from Tim cargo uh he was a Babs person back in the uh 80s and early 90s sort of coined this this idea that the first 90% of code accounts for the first 90% of development time and then

the remaining 10% of code accounts for another 90% of development time this I think is something that probably everybody in this room has experienced at some point in time but just again is another one of these things where we're like hey we don't have to do 100% of all the work and if we want to it's probably going to take more than 100% of the time so now that I've sort of like described why I think perfect is uh not possible I'm going to outline this anyway we think it's inefficient uh we think that there's high cost to perfect there's a skewed Roi uh and it's potentially only good for the memes which is the best part

speaking of memes I actually um submit the cfp just so I could do this slide it's a terrible joke but the only way I think to achieve perfect Security is to delete your data turn off your servers fire everybody and move to a mountain probably a mountain where you don't have cell phone reception so that you can't be tempted by a computer so anyways if perfect is not possible let's talk about what imperfect is and what I think makes imperfect security or really imperfect insert other function job rooll whatever um for me it comes down to sort of four pillars the first of which is operating in this reality not some alternate reality where perfect is possible the second is uh be

efficient the only way to achieve what you're actually trying to solve for is to be efficient uh focus on the people there's been a lot of talks this weekend about the sort of human psychology and uh the the human part of security so I to talk about that a little bit uh and then Embrace collaboration I think it's very important to as a follow on to focusing on the people and working with other humans to collaborate with them in order to achieve some of these goals um for what it's worth since I do see people taking pictures I have a recap slide at the very end it'll be super helpful I think but feel free to take

pictures if you like so first one here we're going to talk about operating this reality there's a bunch of stuff that goes into this uh as as there is for each of these I'm not going to outline or do an exhaustive list or give you a perfect list of things um I'm just going to go a couple things that I think the first of which here is there is an infinite amount of work to be done this is especially applicable insecurity but the reality is kind of everyone has an infinite amount of work to do uh and humans are very good at generating work we pretty consistently will solve one problem and then three more will crop up

out of nowhere uh and we see this throughout history it's What's led to a lot of innovation it's led to a lot of advancement in technology um and it's generally made us better at working but it seems to be consistent that we are good at generating our own work on top of that we don't have enough time money or people to accomplish everything like people who are managers experience this quite frequently type budgets lower headcount these kinds of things but um even outside of that if you're trying to hold a good work life balance uh and you don't want to work all 168 hours a week or whatever you don't have enough time to do all this work to make things even

more complicated attackers are less regulated than you they don't really have rules or at least their rules are far more favorable to them than they are to you we have regulations we have compliance we have not doing illegal things to worry about uh and that makes stuff complicated for us additionally nothing we do will work forever I think everyone here is experienced coming back to something that used to be great or used to be quote unquote perfect and saying oh well now I need to do more work on this to actually achieve what I was looking for some people will talk about like continuous iteration and why you should like always be thinking about improving yourself uh it's basically

that like nothing you build is going to last forever uh and then your PL definitely changed a great example of this is uh in 2018 2019 I think we were all still thinking about securing the office and then 2020 happened something happened in 2020 uh and everyone to work from home now we're talking about securing distributed workforces and nobody had that on the road map at the beginning of 2020 nobody had to figure out how to secure people's Wi-Fi or the Wi-Fi of people who don't know what Wi-Fi is and now are trying to work from their homes so your plans will definitely change and I think that throws a wrench in all this idea that

perfect can be done you have constraints there are tons and tons and tons of constraints but the one I really want to outline here is that the business is number one the vast majority of cases you know nonprofits and other businesses similar to that notwithstanding businesses are here to make money they want to achieve some goal they want to bring in money that is always going to be their number one priority I think people like to believe that security could be the number one priority and maybe I'm a cynic for saying this but it's unlikely to ever be the actual number one priority you can get it up in the priority list it probably will never

be number one and then budget constraints are very real this is again something I think a lot of people have experienced but just to throw some stats at you 11% of it Budget on average across us and European organizations is dedicated to security and this kind of varies depending on the uh industry that you're in healthcare is far less than this software development actually tops out around 18% of the budget but on average this is actually less than or close to about 1% of an average total annual budget for a given company which in the grand scheme of things just isn't that large additionally 60% of companies across the same span reduced security budget due to economic downturn well I

don't know how you think about this year and last year but this is basically where this came from everyone tune their budget back on top of that two-thirds of us organizations reeled back security hiring in 2024 I was affected by this a lot of my friends were affected by this it's not zero hiring but it's significantly less than quote unquote infinite hiring and head count that we got the last 10 or 12 years so you have constraints that you have to operate within the business is always going to prioritize itself you're not going to get all the head count you want you're not going to get all the budget you want you have to accept this as a reality and

operate within that so what is my recom recommendation for operating this reality first of which is to mind your business and this doesn't actually mean mind your business it's more of like mind your business you need to understand what the business priorities are and what their needs are and then you use that knowledge to inform your approach the other way you can say this is be a business enabler uh but the general idea here is they brought you here to do security for them so they can succeed you need to play a part in that role other one here is know your risks um there's a lot of stuff that we want to do that we don't get to do partially

because of the business partially because of budget head account whatever but the idea here is that if you know what the things that you can't do are and you categorize those as risks you'll a be able to keep track of them but you'll also be able to frame those risks as a way to get additional investment I think most of us have experienced this reality of uh give me more headcount cuz I want it and then the business just says no because that's a terrible reason uh but if you can actually frame a risk for a business in a business context you're more likely to be listened to especially if you can articulate it to

the people who are not security folks and say like oh I don't know maybe we should encrypt laptops because when all of our customer data is on our laptop and it get stolen that'll be several million dollars of expenses the third one here is plan for exceptions uh there are exceptions to everything uh this is sort of a universal truth if you expect them and plan for them then there a couple things will be true you'll be able to keep track of those exceptions for if and when you need to review them or renew them or whatever uh they'll also irritate you far less if you know they're coming so when you have this new

process this new whatever and you expect it to be bulletproof just expect that there will be ex uh exceptions to that thing and you're going to have to monitor them and keep track of them because they will be risks so that's operating in this reality let's talk a little bit about being efficient and what that means first thing here is that energy is wasted on the wrong things all the time um this is true at work this is true outside of work um it's not always bad to waste energy but I think frequently when we're trying to be the best at our jobs and especially in security where making mistakes is sort of detrimental in a lot of cases um wasting energy on

the wrong things can have outside impact sometimes this looks like being solution oriented I want to buy this tool I want to roll this thing out I want to uh do X Y or Z like the reality is I think a lot of us start from that position where we say these are the things I want to do and because we have intuition and knowledge that we've built up over years you say well I can approximate this sort of outcome from that and that can be good it sets broad Direction um but does often mean you kind of wander to the outcome you're actually looking for uh often times this is focusing on the cool or new or novel

stuff I think we all fall victim to this you know a bunch of raccoons uh things are shiny we want to try them out see what happens and then frequently that ends up in us getting ahead of ourselves this idea of like we're going to roll out this cool new thing it'll be perfect it'll fix everything we roll it out and then nobody's ready to use it so it just sort of sits and collects dust until you then go and do the foundational work that you should have done first that leads up to this thing that you know this shiny cool new novel thing that you actually did implement the other thing that we do

frequently here is we cut our nose off to spite our face or our backlog in a lot of cases um this first bullet right here not invented he syndrome is something I think a lot of companies sort of Pride themselves on and quite frankly I think it actually leads to their detriment in a lot of cases let's talk a little bit about this first uh there was a study back in 1982 that that Dove like really deeply into this and like what this means and uh basically Define this as the tendency of a project group of stable composition so a team to believe that it possesses a monopoly of knowledge in its field which then leads

to rejection of new ideas from Outsiders to the likely detriment of its performance and if you go and look at the study and the data that's in it it basically suggests that the performance goes down but there are some things that we've learned over the last several decades from this that support this idea U the first of which is that not invented he syndrome actually does impede innovation as much as people tend to say that it doesn't like oh look at the cool thing that we built with our knowledge in in our space um we know that what ends up happening is if you don't look at the people around you if you don't look at the companies around

you your network your whatever you tend to ignore the other people that are solving the same problems that you are and given that they have different experiences some of them might have more time or money or budget or head count um you will end up ignoring some of the progress that they make that you probably could have learned from and avoid some similar mistakes the other thing here is kind of tangential to this but it hinders external relationships and the idea here basically is if you're only paying attention to yourself or your team and you're never interacting with people outside your company you're going to have a hard time building those relationships but then this similarly

applies internally if you're only looking in your team or you're only working with your organization and not working with people around you you're going to make those relationships worse as well or they won't improve at the case or to the degree that you're expecting them to the other thing here is the new Good Old bad stuff Tech dead everyone's talked about tech dead I'm not going to go into a ton of detail on this because I think it's pretty self-explanatory um but one of the things we've found over the last several decades is that Tech slows people down there's a certain amount of it you can get away with because it's not always the thing you should be focused on um

but if you for example have a languishing dependency in like a monolith IC part of your application that gets further and further and further out of date to the point in which it's not months anymore it's now years out of date or hopefully not decades but I suppose it could be um think of the amount of effort it's going to take you to eventually fix that when that zero day does drop because it does they they do it will then you're going to have to stop the whole entire team and work on that one dependency for six months when you probably could have put a little bit of effort into it over the course of many years to keep it up to

date so how can you be efficient next slide for this you can be goal oriented or outcome oriented however you want to phrase this but the general idea is identify the outcomes that you are looking for I want access management to be easy and consistent and transparent I want uh all of our thirdparty dependencies to stay up to date all the time like choose the outcome that you're looking for and then use that to work backwards to the solution that best fit your best fits your environment you might find that you were right about the thing that you wanted to roll out is actually the right answer but sometimes you'll find that something else will fit

the bill better uh avoid reinvention uh this is don't reinvent the wheel uh clearly because the wheel Emoji I just couldn't get it to fit on two lines um but the point here is learn from the people around you like especially in this industry we're all kind of solving the same problems on repeat at different companies all the time it's all about preventing vulnerabilities making access more intuitive and sort of least privilege um stopping attackers being defensive all that kind of stuff not a lot of it is new and novel conceptually and so you have these peers and connections around you that are doing kind of the same work in the same trenches that you are learn from those

people and use that knowledge to sort of improve your strategy or your execution against some of these problems uh and then burn down backlogs this is kind of an obvious one I guess but the reality here is like given the sort of third- party dependency whatever other thing example I gave before you want to make sure that you're actually taking care of those um you know that last doctor is active in your bug Bounty program is probably very likely so that's being efficient let's talk about focusing on the people this is like personal sort of like passion for me I think that security is a human problem I think we've heard this a number of times uh earlier today Cassie

Clark gave a great discussion panel on why this matters so much uh and basically just outlined that humans are the ones that are involved in security we use computers to do it and we use software to do it but the reality is it's people for the most part and so that's the thing we have to pay attention to um a couple things that are fairly common knowledge I suppose but uh almost all attacks involve humans in some way shape or form uh these two are from the the most recent yes the current the Verizon DB report that came out last week um something to that's very small 68% of breaches were uh involved the human element in some way shape or form

which is the vast majority uh turns out that number went down from 2023 which is a little bit on the surprising side uh but it's still way over 50% and it's because humans are fallible it's because humans are uh easier to trick than a computer in a lot of cases um notably pretexting fishing and extortion combined uh account for 96% of breaches related to social engineering so like people are doing this attackers are doing this quite a bit it's not going to go away it's only getting more complicated um given that it exploits often manipul psychology right pre- taxing fishing Etc uh it makes humans very vulnerable to kind of Elementary attacks in a lot of

cases and then just kind of continuing on this human behavior is very human uh there's a lot of things to know about this but I think it's good to assume good intent from the people around you most frequently I think often people want to do the right thing but they don't know what that is and that makes things complicated especially as they try to go about their jobs and they don't want to bother you with every single question they have all the time or they go look things up and they don't understand what they're reading to the level at which a you know a security professional might it makes things challenging additionally convenience often outweighs process we put a lot of

processes in place and quite frankly most of them are high friction or many of them are and that makes things complicated especially when you're dealing with people who are uh trying to be high performing or are high performing uh very skilled if you get in their way they'll figure out a way around it in many cases you know this this doesn't work for me it's making my job harder it's making it more difficult for me to succeed it's making me look worse so therefore I'm just not going to do that thing that gets in my way because if I go over here I can still do my job additionally retraining habits is is very challenging this is a broad

psychology concept but it takes on average about 66 days or two months to form a new habit and that's only if you don't have a preconceived notion of what that habit should be this then starts to vary quite a bit depending on sort of like your mental fortitude and a variety of other things but if you have to unlearn an old habit and then learn something new within the same space it's even more difficult so how can you focus on people first thing first is design for humans I think a lot of people think about designing for computers or production environments or laptops or whatever but the reality is we're we are the ones interacting with all of this

and we are the ones that are going to figure out Creative Solutions for how we want to achieve the goals of our job whatever it we're trying to do um if you think about what those people are doing and how they're approaching their work it'll be easier to conceptualize like here's the thing I need to secure in order to make myself feel better about the production environment or the corporate environment or whatever it is build pave paths um this is definitely not Reinventing the wheel I did not originate this at all this is kind of a I suppose a Jason chanism from many years ago uh Netflix did a great talk I believe it bsides back in 20 2018

about this this whole entire thing it's up on YouTube go look at it it's very very cool but the idea here is that you need to empower autonomous and responsible teams by building these wide paved paths with strong guard rails so that people can't go do asinine stuff but if you give people the freedom to do their job within a sort of broad swath of like options they first of all will appreciate it but they'll be able to execute against what they're trying to do in in a much more um efficient an effective way this one is reduce friction I believe that making the secure way the easy way is the thing that people should

be doing it's uh kind of adjacent to human psychology if it's easy and it's cool and it's fun and it's you know like slip and slide or whatever people will probably tell their peers that hey this thing that security is asking me to do is actually easier and better and gets out of my way than whatever it was I was doing before if you make it very easy for people to do those things they will tend to do them I think traditionally we've tried to add friction and there are some places where that is appropriate but in the vast majority of the time I I don't think it is good example of where is it approp it is

appropriate is like MFA MFA is friction nobody really likes it it's getting a little bit better but the reality is it's kind of necessary so that's good friction but there's not a lot of those so this is focusing on the people let's talk about collaboration now it's kind of the last pillar here um Teamwork Makes the DreamWork or something py like that I've been a manager for a lot of years so I have a lot of corny phrases um but I think this is this is very real uh this is not just a work thing if any of you folks have played sports or been involved in any other sort of teams outside of work this

is kind of consistent everywhere we know a bunch of things about teamwork uh the first of which is that groups outperform individuals in the vast majority of cases and even further on this one super interesting is that if you have a group of people who are far less talented or experienced or knowledgeable than a single person who is extremely talented and knowledgeable that group will still likely outperform the individual so we know that we know that Teamwork Makes for happier employees I think we've all experienced kind of working on things in a silo or off in a corner by ourselves been exacerbated by work from home where you don't get to run into your colleagues and your friends you just

sort of sit in your office all day long until it's time to get off and you go upstairs to wherever um work working together does generally lift Spirits for people um working together on problems and helping solve problems when you kind of like go through some of these hard times together on the other side the outcome of that is much more positive the other thing we know here is that teamwork benefits from differing perspectives we've been hearing about this a lot in the last however many years especially with respect to like diversity and inclusion but it applies all over the place the idea that somebody's different experience from mine can bring a different perspective and potentially help me solve a problem

in a better way is very very applicable so when you have people working together as teams not just as like colleagues that are kind of doing the same thing but work together with each other to solve these problems you'll end up solving those problems in better ways because of the experience and perspectives of the people you're working with the other thing here is we as a security or uh industry have kind of generated this uh perception that we're the department of no or no is a service as the kids call it these days uh this idea that we just say no and we block people all the time you people come to us and we're just like you know

what that's a terrible idea you can go away with that uh it's led to all kinds of bad things primarily because constant rejection is really not fun if you go to anybody else and you're like I have an idea and they're like no uh okay I want to roll out this that's also a bad idea well can I try this no and go away because I don't like your ideas like it just becomes one of these situations where I want to avoid the security team like every time I talk to them they just tell me no they just tell me my ideas are bad and I suck and so what I'll probably end up doing is just not

talking to them and then do the thing I need to do and if I get caught uh I suppose I'll ask for forgiveness because people tell me that asking for permission is not very effective the other thing we do a lot of is this High friction controls kind of talked about this a second ago but this idea of like we're going to add friction to stop an attacker or like an Insider threat like in theory it sounds really good but the reality is you're probably also slowing down a bunch of the people that you work with and that's challenging if I operate in an environment where it's difficult for me to do my job it will stress people out

um it will make things harder to accomplish and so if I will then go look for the convenience to sort of bypass process um and then we all I think are uh responsible for some of this but policies that are just kind of dumb um I like to pick on vpns vpns uh have a have a use case like they are they are valid they are valuable in some places um but I think we tend to smear vpns on problems like peanut butter like oh yeah if you use the VPN we'll totally be secure um okay for secure from what like what are we trying to solve for um as an example I recently had to work with a

partner um who tried to insist that the only way we could work on their data was to be on a specific VPN not even a VPN that I maintained so first of all that's crazy I'm not going to jump onto somebody else's VPN just to work on Partner data on my own product but second of all why would I do that why would I have a VPN you know that's based in Europe or whatever and have to roundtrip from Seattle to Europe back to wherever I'm trying to go just to do the thing that they're asking me to do not entirely sure where that policy came from I did send them some more polite feedback but the idea here of like why

is the why does this policy even exist and especially if you don't explain why the policy exists a lot of your policies are just going to seem kind of dumb to people so how do we Embrace teamwork be a team player this one is kind of an obvious sort of no-brainer statement but this idea here of understanding your role and the roles of the people around you can actually make everybody more effective as an example I grew up playing soccer quite a bit I was a Defender uh my whole career if you will uh spent most of my time as a sweeper or on the left side the whole entire time I played soccer I enjoy it

it's very fun for a long time I would just get the ball and kind of clear it up because I like kicking soccer ball really far eventually I kind of found that that's not very effective and what needed to happen was I need to understand the role of offense or the midfielders so that when I do just clear the ball out of nowhere I put it in a place where they can be more effective put it in a place where they can run plays put it in a place where all the things that we've done for practice we can actually execute against and then lift all boats around you right if you are trying to be

empowering to people if you're trying to be collaborative you will end up being the tide that raises All Ships and so this idea basically is if you are helping empower the people around you so that they can do their jobs more effectively and then hopefully also do it more securely because you're helping them uh everybody will get better you'll achieve your goals they'll achieve their goals everyone will like it and be happy and ra raw it'll be great and then be the department of yes I gave a whole entire talk about this uh at teleport connect about two years ago um but this idea of trying to say yes more frequently than not actually Le a far

better outcomes people think you're approachable people think you're helpful they think you're considerate and then when you do have to say no because you're saying yes most of the time people generally stop and say oh dang uh they don't normally say no why are they saying no it makes people stop and sort of question that as opposed to the inverse where you just say no all the time if I do come to you and eventually say yes be like oh my God they finally said yes but it'll probably be another two years before I get another yes out of them so I should just continue to avoid them so what now this is kind of the big

question here um I said this earlier but I think that a lot of this applies to Industries outside of security uh I actually think it applies outside of work in a lot of ways kind of depending on the thing you're trying to do and so I think you should bring a lot of this back or consume this and try to figure out how it applies to your environment a lot of the things I've outlined very intentionally are goals to achieve and basically ways to do that and so like how can we get there like I said take this home with you right bring this back to your work your colleagues apply these concept broadly security is not the only

place that this applies to um I think you will see success I have been talking about this General concept for years I think I've got four or five of my employees right here in the front who probably fell asleep because they've heard me say this so many times and I've applied this at Discord in previous places and it's been easier for me and my teams to interact with the people around us uh work right now in an organization where engineering broadly speaking loves security and that's kind of unheard of it lets us get a lot of things done it buys us a lot of Goodwill with the people around us and then when we do have to say no people stop and ask

why we're saying no oh wow this must be a big deal um this is important but look at yourself and hold yourself accountable to some of these things it's very likely that you're not as good at the things that you say you're doing as you think you are um I believe this I constantly am looking at me myself and my team and trying to think about how can we be better at the things that we say that we're doing such that I mean a we don't sound hypocritical but the goal is not to you know c ya the goal is to constantly improve this environment for people if we have a great Baseline but we can continue to elevate that that

makes the work environment considerably more uh um appreciative considerably more fun to work in which is this last one have fun I think a lot of this kind of stuff is very difficult um especially kind of executing on ambiguous stuff like uh reduced friction like what the heck does that mean I think if you think too seriously all the time or you try to solve problems in like serious robot mode all the time you know all work and no play makes Kevin a d booy is very very relevant um I think injecting some fun into the environment especially given that we are mostly defending against very very bad things happening and constantly thinking about the worst

case scenario will make things easier for you so like I said I do have kind of a recap of all the things if you feel free to take pictures of this I think this deck is going to be up somewhere and I think this I believe this talk is going to be uh recorded and published but feel free to take a look at this this is all the different um one two threes that I had in here and that is it thank you very much

yeah I can do questions uh any questions in the room um you can ask or was there slid thank you I appreciate that but yeah I'll put perfect I'll put it somewhere or they will I don't know I'll make I'll make sure it's available there's also a slido I think besides sf.org Q n a like Q letter N A if you want to throw questions in there I think the mic is not working if you want to speak up R uh that's fine yeah you got a question shout it out there you go thank you what what what led to you thinking that you could never have perfect security other than just Cam that broke

you damn uh what led me to believing that I couldn't achieve perfect security uh other than bureaucracy cuz it's always that one thing that breaks you it's always the one thing um I don't think there was one thing for me I think uh actually this probably started really early when I uh I've written and recorded a lot of music um and it is an infinitely long like list of experiences where I think have done something really really well or tracked something and it sounds perfect and you go to mix and master and then you hear it for the first time in your car after you've spent all this time and you're like [ __ ]

that part sucked um and like the amount of effort that goes into that especially with music for me it's very like passion driven then just to realize that I can't actually do it perfect sort of led me to believe that a lot of these approaches are like this uh a more business relevant answer I guess would be I spent a lot of time at startups and you kind of can't f focus on everything like you just don't have the time things are moving very quickly and so you have to be very specific about what you do choose to do and then kind of forget about everything else but also sort of remember it so you can do

later thank

you hi I wanted to know um how you balance between not focusing on the cool shiny new things and also looking at your peers around you and trying to do the things that they're doing that seem to be working yeah how do I balance that um I think more often than not the cool new novel stuff is just shiny and I think like from experience I've rolled out a bunch of the cool new novel things like I made the mistake of rolling out vanilla kubernetes out a place one time uh don't recommend that um and it was cool and new and shiny and novel and then we started rolling it out and maintaining it realized how freaking

hard it is and that that like I talk I've been talking about that experience for years actually but um I think that reality of like it looks shiny at first and then it still becomes work later is really relevant in that context um when I think about working with the people around me I think one of the things that's nice about this industry is like industry slacks and other like working groups where uh we're all working on vulnerability management and vulnerability management everywhere is awful and terrible job like but it's something that we have to do you know we got a floss eventually um trying to figure out like this originated for me is like trying to

figure out how to make it less bad and eventually it was like uh be more goal oriented you know I have said this many times where I like don't want to be you know spreadsheets of VES then cat hurting people because it's just a terrible experience nobody's going to do anyway and so how can I figure out how to make that less bad and work backwards from there and often times the cool new novel thing might be useful but the reality is if you focus on like what you're trying to get out of it you'll tend to find more often that the less cool shiny stuff actually helps you achieve your goals and more reasonable

way and that feels way [Music] better thank you any other questions in the room John oh yeah so I guess like in a more uh like talking more about that the last question um when have you like gone down the novel shiny and then like like you know decided was to pull the parachute because it was like not achieving your goals like you know going down the uh the like side quest or like not the quite the branch you're looking for right and then like when do you like you know how how have you dealt with like trying to to go get back aligned where you need to be yeah I mean the the kubernetes example is a real one um at

the time we evaluated just rolling our own uh instance of it or deployment of it and versus like eks like the Amazon hosted kubernetes um for whatever reason chose to do it ourselves got way down that path realized how much work it takes to do that by ourselves and like what the value of managed kubernetes actually is um and then you kind of start thinking about the sun cost fallacy of like yeah we went way far into this and we should totally keep committing to this awful terrible idea uh but the reality is like we should have we should have pulled out of that earlier and the real real part of that is like basically the moment I left that

they replaced it all with eks it was like okay the idea here then being of like the shiny thing is what got me here and then we didn't stop to think about like is it still achieving our goals or is it still meeting my needs the answer would have been no if we had stopped at any point and then you go back and actually do the thing so you don't waste so much time like that that experience weighs pretty heavily on me I actually use that as my like project retrospective when I was interviewing at Discord and my boss laughed at me it's probably why I got the job so you spoke a little bit about

partnering with the business and understanding uh kind of what their objectives are how do you work with folks who are newer in their career maybe midcareer who haven't thought about those things before how do you start to to help them understand those aspects yeah my opinion on that is if you understand the business and since you have are typically in a leadership role you are more closely connected to the executive team and like what the business is trying to do you might have more uh business data financial data whatever being able to encapsulate that and kind of boil it down to people who don't have experience like the years of experience that you have looking at that

and explain to them like hey the things that we do have this impact on the business and so if we execute like in the wrong way you know and revenue goes down or something like that the first thing business going to do is get rid of us not that you should frame everything as like a threat or like do fear-based anything but the it is a reality right the business will cut things that are hindering it from achieving its goals and that's very relevant to all businesses and if people are junior they're going to learn that lesson at some point in time my preference is to learn it by hearing about it not by experiencing it U so I try to frame

things like that for the more Junior folks I also just like talking about business so uh that tends to help thanks uh there's one on the slider um so the question is there's there were a lot of good learnings from your talk if you have to emphasize one point from your talk which one would it be oh boy um design for humans probably uh the idea that we could approach any of these security problems by designing for computers kind of immediately gets defeated by the fact that attackers are human and that like the points I made earlier of like attackers take advantage of humans more often than not if you can focus on designing for humans a lot of

things come from that you design the right stuff you implement the right things but you also can't design for humans appropriately without being empathetic and sort of understanding where people are and so that connects back to all these other things being a team player uh you know avoiding reinvention like all this kind of stuff so maybe that's a cheater answer but uh design for humans thank you uh any more questions in the room all right thanks thank you G I appreciate your time and yeah