Let's Do the Timewarp Again! A Look Back to Move Forward

And without further ado, I'd like to introduce today's keynote speaker, Anna. Um, Anna is a a former security researcher and an analyst turned technology strategist and security leader. She currently leads security, privacy, and assurance at Netflix. Welcome to the stage, Anna. >> Thank you. Wait, please. How do I Sorry. We're going to also get this set up first. Also for the people in the uh door, there is more seats I think over here at the end since I saw some people looking.

>> All right, I'll I'll figure this out. Thank you. >> All right, got to shake out a little bit of nerves first. I feel like no matter how many times you do this, you never really get used to this. It's a pretty impressive theater. So hello everybody. Um welcome to my talk. Let's do the time warp again. A look back to move forward learning from challenges uh and innovation and challenges from the past to find inspiration for the future. And like Reed mentioned there is a lot of stuff going on right now and I know that can feel really overwhelming. Uh and so I'm hoping to share some optimism today uh as we move forward to the next phase.

And so first and foremost, for those who are like, "What the hell is a time warp?" uh a time warp is an imaginary distortion of space in relation to time whereby people or objects are sent to a different period. But doing a time warp is an iconic, easy to follow dance from the very famous musical, The Rocky Horror Picture Show. And uh I was hoping that we were going to do some dancing today, but it turns out that getting 600 people to stand up and do a dance in an orderly fashion and then sit back down again is not really feasible in a 45minut slot. A I agree. I agree. Uh and so a quick look at the agenda today. Um

first I'll do some a brief introduction of me and this topic. Then I'll talk a little bit about a paradigm shift that I'm observing in the industry today. uh and then I'll look back at some historical challenges that we have overcome as a community and then I'll summon the voices of some of my peers, friends, uh and industry experts uh to use them as inspiration to take a look ahead and then I'll wrap us up and I'll talk about your role in what's ahead and some key takeaways and action items. So, first and foremost, hello. Uh my name is Anna Vastelius. Uh and I'm really really thrilled to be here. Uh this is one of my most favorite

conferences and it's really nice to be invited at a time that feels so pivotal to this industry and this community. Uh musicals is also near and dear to my heart. Uh I'm a great musical lover. So please if you see me in the hallway later, please let's talk about my favorites and yours if you have them. Uh and a little bit about me. Uh I've spent the better part of the last two decades in a variety of security roles. I am originally from Sweden if you couldn't couldn't pick that up on the accent. Uh, and I'm a longtime community organizer. I have, uh, worked several conferences. I have great respect for all of our friends here who are here working hard

this weekend. Uh, and I've also been engaged in many nonprofits trying to increase fluency in cyber security and adjacent topics uh, to get more people into the industry. And I also currently uh, have the honor and privilege of leading security, privacy, and assurance at Netflix. And so the idea for this talk uh came from a conversation I had with a few people people up in an event in Northern California at the end of last year. One thing was really clear. We were we were all feeling really stressed and anxious about what would come next and it felt like we were already behind. Uh one person though showed up with great optimism and inspired me to feel a sense

of you know happiness about the future. Uh and I was hoping to pay them forward today. So what is it that I am seeing in the industry right now? I believe that we're accelerating towards a paradigm shift and we're reaching a pivot point if we haven't already. The cyber security industry has matured over the past several decades both on the offensive and defensive sides. Um we are seeing uh things are more connected than ever before. Cyber crime has matured as an industry and AI is changing the fundamental principles that we rely on. Uh up until recently, I would have say said that non-deterministic access control was an oxymoron. Uh but it actually seems to be the

direction in which we're headed. Additionally, technology has never been so accessible as it is today, which is super exciting. More people than ever have access to technology, and they're using it in new and exciting ways. However, that means something from a shifting risks perspective. Our defensive mechanisms tend to scale well in stable, well understood environments where we can build platforms to scale. More and more different users using technology in new and more different ways means that the urgency to scale increases exponentially. So it's not surprising that a lot of teams are feeling the weight of this fastly evolving threat landscape, not to mention the significant jump that we're seeing in AI just over the past few

weeks or months. However, this isn't the first time that things have evolved dramatically, and I think we can learn a lot from our past. And to be clear, this isn't just about AI, although AI does play a huge role in this. Uh, it's about reach and speed and scale. And it's about people's relationship with technology and a set of technological evolutions that in combination challenge the foundations that we rely on. We're talking about massive scale cloud computing, including but not limited to considerations around postquantum, large language models, increasingly global complex supply chains. And it's hard to say what sort of impact this will have long term, but it is certain that it will stay and

continue to evolve. And it is also certain that we all have to raise a certain amount of optimism to get there and roll up our sleeves collectively to make sure that we're getting there safely. So to say that security people are inherently optimistic might be a bit of a stretch. Um but I know that there are plenty of us among you. On one hand we're blessed or cursed with really good pattern matching skills. Our job is literally to imagine the worst case scenario at any given moment. Yet many of us stay in this field because we believe that we can have an impact and that we can make a difference for a safer future. Is it optimism?

uh it is a superpower at least to be able to always imagine the worst possible outcome yet show up every day with creative and innovative ways in which we can solve the core issue. However, I think it is it becomes a problem when we're trying to do this alone and we will fall behind if each of us individually are trying to solve this in silos. So as a community we carry incredible power and what has inspired me or for the longest time kept me in this field is our willingness to learn, experiment and build together. Our industry is founded upon principles and share of sharing uh and innovation happens across corporate boundaries not within them. And so many of our modern

standout standards and foundational building blocks uh are operated and maintained by nonprofit organizations uh that take on really big challenges outside of their own purview. So let's look ahead or look uh to the past a little bit. But first uh I will see how far I can stretch this musical theme and borrow something from theater and storytelling for a minute. Please bear with me. In dramatic storytelling uh such as musicals, uh there is something called a story structure. A story structure is a framework of uh that organizes plot events into a cohesive and meaningful narrative. They can look very different depending on which culture they originate from, but they all serve the same purpose. The idea is to make sure

that the viewer or the reader maintains engaged. It is also there to offer an element of predictability, which is really important when we think about crisis and change management as well. One of the most common story structures consists of an introduction, a buildup or what is referred to as a rising action, a crisis, a falling action or a montage, and a resolution. If we overlay that with our timeline, uh right now it feels like we're entering entering a crisis pot plot in the plot. That can feel really really scary. But in dramaty, that is when all the things we've already learned finally pays off. We are building up towards our own montage. And I make this analogy not to instill a

sense of impending doom, but to say that if history has anything to say, we will have a lot more instability before we land in a resolution. And it's really important that all of us roll up our sleeves together in order for us to land in a safe one. And so per the masterpiece, the Rocky Horror Picture Show, let's do a time warp and let's make a jump to the left and take a step to the right and look back at the history of cyber security and a couple of key moments uh where the it felt like the rug got pulled out from underneath us, but we landed better than we were before. So let's go back in

time. That seems to have worked. We're in monochrome. Uh for our first shift, we'll go back to the early internet. It is really hard to remember just how different all of our assumptions were. The networks were small, mostly academic and research-driven with a handful of curious tinkerers in early companies. The priority was experimentation and reach and connectivity. Security wasn't so much an afterthought as it wasn't a thought at all. Traffic moved in plain text. Credentials were often sent and stored openly. Sensitive configurations were shared broadly across public mail lists. Protocols were designed to talk to whatever could talk back at them. As more and more things got connected, that quaint open by default uh design

rush reality. Data needed to be protected not to get compromised, abused or stolen. And it started to happen at scale. For a while, the response was uneven and awkward. Some experimented with HTTPS uh but not inconsistently and certificates were really uh expensive and painful to manage. It was easy to say that we should be secure but really hard to do so at internet scale. And yet over time we went into our montage and we did exactly that. We moved from a world where encryption were the exception to where it was the baseline expectation. Protocols matured. Browsers started warning users about insecure pages and organizations like Let's Encrypt emerged, making certificates free and automated, lowering the barrier of entry

that it felt immovable for years. Over time, we relied less and less on heroics and more and more on the system itself to be more secure. And none of this happened overnight. It took years of standards work, countless bugs, more than a set of painful incidents. But we were a community willing to push relentlessly for a safer default. But if you stick take a step back and look at the arc, it is quite remarkable. We went from an internet that was in practice fully open to one where everyone's connection is encrypted and they don't have to think about it. And then something else happened and we are becoming pixelated as we move forward in time.

If the early internet was about conf realizing that confidentiality and data security actually mattered, uh the worm outbreaks was realizing that our uh availability and resiliency was not in a good spot. One of the early worms, the I love you worm or the love bug uh infected over 10 million Windows devices uh and caused billions of damages worldwide. At the time, it was considered one of the mo the biggest uh computer rel related disasters. After Love Bug, things heated up and we went for slightly cooler names. Code Red Slammer Blaster Confiker Not Pedia, and W to Cry. If you were around, you probably also remember the feeling in the room. One day everything feels fine. The next suddenly phones start

ringing, screen starts freezing, and suddenly everything feels like it's on fire. one exploited service, one unpatched vulnerability, one malicious device connected to the network, and in minutes entire networks were flooded. Systems were rebooting in loops. And people were literally pulling cables out of walls in order to stop the spread. And in some situations, we had to lean on the heroics of single individuals to make sure that really critical infrastructure didn't become compromised. Unpatched critical systems and big flat open networks had caused the spread or at least enabled it. Patching was risky or hard or simply not prioritized and there was often very little segmentation internally. So once something made it past the perimeter, it was effectively game over

at the time. We also lacked solid vulnerability disclosure process and we didn't really do broad information sharing as a community. So there was a point in time where this crisis felt very real. It felt like the next remote vulnerability that got published was going to knock half the internet over and we could have shrugged and accepted that as our new reality and our new normal. But instead, we did what we always seem to do when the pain gets high enough. We adapted. We started treating patching and vulnerability management as ongoing disciplines. You began seeing blast radius reduction with containment and recovery as priorities and security strategies. We we redesigned our networks so that things like inside and outside were not

the only two states that mattered and we invested in detection and response as a craft. We built better observability and we shared threat intelligence. We built dedicated incident response teams and we started simulating worst case scenarios so that we would be a little less surprised and a little more prepared. We also built teams of skilled attackers for the first times and we wanted them to intentionally break our systems and we started leaning on crowdsource intelligence to catch the things that we might have missed. And just as importantly, we normalized these practices. They stopped being exotics or nice to haves and became the thing that you needed to do in order to run a serious business. The global warm

that takes down half the internet in an afternoon is far less plausible today. Not because attackers stopped trying, but because we collectively raised the bar. And again, it is not perfect. We still have ransomware campaigns. We still have large-scale incidents. But the world that we live in now is far more robust than the one we inhibited not that long ago. The fire drills Tim's teams do today is usually because a new CVE dropped, not because they got compromised. And that improvement happened because we we built it and we made systematic change industrywide. And then as we jump to our third shift, I'm going to take a little bit of water so that you can keep hearing what I'm

saying. But before we go to the third shift, I'm going to pause for an honorable mention. Uh a related shift uh that deserves a special special mention is bug bounties and vulnerability disclosure. This field was pioneered by several people who will be here this weekend. A special shout out to Katie who is keynoting tomorrow as well as Casey who shared this quote with me. Uh, and it was too good to not include in full. So, I will paraphrase the whole thing. When we started, the idea of paying hackers to find bugs was seen as somewhere between radical and absurd. Incentives were broken. Companies punished disclosure. Researchers took legal risk to help. And the public stayed vulnerable to bugs no

one could safely report. Bug bounty programs didn't just create a market for vulnerability research. They reframed the relationship between security researchers and the organizations they were trying to help. They show that aligning incentives works better than threatening consequences and that diversity of perspective makes products more secure. They created a generation of security practitioners whose first experience was collaborative rather than adversarial. And I could not agree more. This is the community changing the rules of the game. Turning something adversarial into something collaborative. And that is what we will have to continue doing moving forward. And now onto the third shift. And we're upgrading our graphics every time, by the way, if you didn't notice. The cloud for Netflix. It was 2008. Uh,

and the company had been shipping DVDs for about 10 years at this point. We were one year into our venture into streaming. Stakes were high and competitions for DVDs really fierce. And at the time we were running our own data centers, both supporting our emerging uh streaming business as well as our DVD operations. One day we suffered a major database corruption that prevented us from shipping those DVDs for three whole days. And the choice was clear. Let's move to the cloud. And for those of you who don't know what a DVD is, I would just say please Google. Uh there is a Wikipedia article that will explain how we used to watch movies in the late 90s.

During this time uh many companies went through similar cloud transformations moving from bespoke data centers to cloud service providers outsourcing not just their infrastructure but for many of them for the first time also their security posture in those initial years of cloud. It didn't come with neat governance not well baked in security controls well understood patterns. It was super green field and it felt very similar to how many people are feeling today with the changes that we're seeing in technology. Like an overwhelming amount of change that shifted a lot of our very well understood fundamentals. Protecting the perimeter of your local data center felt safe. It felt controlled. It felt like something that you could, you know, put your hands

around. Uh, and the idea of putting your data on someone else's computer and exposing that through internetf facing APIs felt insane, but we did. Uh, and the first attempts were rough. It started to seem like maybe the cloud wasn't for those with a lower risk tolerance. Many teams adopted a lift and shift model for cloud adoption. So, they moved uh applying the same rules that they had in their own environments. Uh, they moved flat networks into VPCs. They put their S3 buckets public on the internet. They put root root keys in wikis and public repos. And tradition traditional security controls struggled with things like ephemeral infrastructure and containers. And a few ugly headlines later uh and the narrative seemed

obvious. The cloud is insecure or at least not for the one with a lower risk tolerance. However, over time, something really important happened. This community adapted again and we stopped trying to recreate the old data center in the cloud and started using the new security primitives in g. We innovated within the new boundary and both platforms and providers uh developed a cloudnative security model. A model that is now dramatically better uh than any on-prem setup if used correctly. And at Netflix, we choose to spend seven years rebuilding all of our infrastructure natively in the cloud. And as you all are embarking on these new sets of technologies, I would encourage you this. Don't move existing workflows.

Build something native that works better from the ground up. It's going to be more durable that way. I also want to emphasize here that a lot of this innovation did not come from the providers. Came from this community. And many of the ideas we consider table stakes today were presented here the first time. And so now we have very strong secure by defaults uh and secure by default capabilities at both the provider and platform levels. You can get default deny network policies, private by default storage, harded templates and base images and secure identity and access from the start. We've come really far from bespoke controls in your local data center. And no, it's not perfect.

Uh many organizations are still wrestling with getting this right. However, these ch new challenges we can actually engineer around and that's the real lesson here. Our biggest wins comes from systematic change things like identitycentric solutions, opinionated platforms and repeatable patterns. So, is this optimism? I think it is really useful uh to look back at the history and remember how much we've overcome and how much we've actually moved the bar already. Uh all these systematic wins are contributing to increasing the baseline. Um but there are other things that also make me very optimistic uh about what we have ahead and I'll talk about six reasons why. But first let me introduce some guest voices. Uh all of these people were kind

enough uh to lend me their perspectives as I was putting through the uh putting together this talk. Maya, Casey, Marissa Clint Will Jen Frederick and Matt. Thank you all for sharing your perspectives with me. Uh these wonderful humans cover both public and private sector. Some hold perspectives from within the security industry. Some are independent actors and some are from differently sized enterprises. And some are leaders and some are individual contributors. So now let's go ahead to six reasons uh that we're better positioned than ever to get security right. First reason, we're in the room where it happens. uh increasingly security is on everybody's mind uh both across public and private sector up until two two

decad two two decades ago most companies didn't have CISOs they did not have security teams most of the time and if they did we were nestled somewhere within an IT department now larger firms and more serious businesses it's standard and boards and audit committees are reviewing security topics on a continuous basis and security leaders like myself have an opportunity to hold my company accountable to the right security outcome at a higher level. And on the public side, many governments have created dedicated national sec cyber security authorities that report directly to top executive structures and cyber security experts like yourselves are increasingly invited to influence policy guidance and corporate practice globally. So I'll share this quote from Casey. Uh

what makes me optimistic about security's future is how far we've come in shifting from purely technical discipline to one with genuine institutional and political influence. We went from being dismissed and misunderstood to being indispensable and that shows our ability to evolve awareness at scale. There's still a long long way to go but I think it's important to remember that the idea of a hacker as a strategic asset and not a threat bored and absurd even 10 years ago. Reason number two, we design for humans and not against them. And so a really big part of getting cyber security right is being honest about the constraints we need to operate within. One of those is human nature. People are tired. They're

in meetings. They are trying to do a hundred things that are not security things. And if your control only works if they're attentive, well-rested, and well trained, it doesn't actually work. Don't get me wrong, great awareness is fantastic, but system designs that relies on users to find the risky thing is inherently flawed. Now, instead of pretending that we could train that away, we engineer with that in mind. And if we hadn't evolved from a culture of blame to one when we're thinking about human error, we'd be in much bigger trouble as we look ahead. And with some recent advancement in human risk management, we could even think about that completely differently. So Marissa shared, "Uh, looking back at recent

past, we treated employees like they were the problem. We made them do boring training, uh, deceived them with fishing tests, and locked down their machines. We got really good at noticing when people messed up. But recent trends have made me optimistic that we can change this narrative. The field of human risk management has brought us a way to recognize employees when they do awesome things, too. By focusing on improving security culture, uh, we can start to treat employees like our best line of defense. and I couldn't agree with her more. My third reason uh is that we started focusing on what actually matters. How do you measure measure security? Is it in daylight, in sunsets, in midnights,

in cups of coffee? That sounds like pretty traditional security KPIs to me. Um but no, you should measure it in meaningful risk reduction. Uh, and for those of you who know me, uh, you know that I have a pretty strong opinion of the security industry that I've held for some time, specifically about the amount of vendors with absolutely no security people on staff and who seems to be building a lot of stuff that nobody needs, but that look really cool. It's an ecosystem that has rewarded appearance of security over substance. This environment was conducive to vendors that produced volumes, so alert on every vulnerability, even if that vulnerability didn't matter. said something. Thank you. Uh I I hear

people are agreeing with me. Um looking ahead, it seems like the industry is going through a necessary correction. Uh and that seems to be that those who come out successful are pic practitioner informed, tried and true, and really narrow in the problems that they're trying to solve. They do one thing really, really well. They're not trying to solve everything for everybody. And at the same time, we're seeing a very um inspiring, I guess, trend, which is that practitioners are moving away from treating all of these risks the same. We know that we don't have to patch every vulnerability. We don't have to investigate every alert, and we definitely know don't have to treat every endpoint with the same level of

criticality. We're asking questions about things like vulnerability exploitability. We're asking what risks we can accept. And we're realizing that companies have very different risk tolerance and threat models. We are going to do the things that actually move risk on purpose. And so this new found focus, it is is what is going to help us move through the noise as we move to the next phase. Two quotes here. We're better at calling it when we see it. For a long time, we were really good at generating hype and not much else. I think we're going to see less hype around security that isn't achievable and more realistic reasonable pragmatic security solutions. Casey also shares that what's emerging now is different.

The companies starting to succeed aren't the ones that race the most and shipped fastest. They're slow burners that held the line on actually solving problems. Companies that choose sustainability over growth theater. Reason number four, I think the most important one, which is that the barrier of entry has never been lower to become a security expert. I used to reminisce uh that with each technology abstraction we were moving further and further away from a m the machine and after a couple of beers I would probably blame many of the security issues we're seeing because people didn't understand what lied underneath. Not only was I very wrong in that uh but increasingly I believe that these abstractions are dramatically lowering

the barrier of entry and letting anybody become a security expert or a developer or both. So, if you are a security engineer who hasn't coded before, maybe you get an opportunity to learn to do that as well. Historically, you also used to have a fang-ized budget to be able to do serious security engineering. I would know. Now, anyone can do it. Additionally, anyone with curiosity and time can learn these skills uh as these new new tools start to demystify what it means to do security as a craft. I am really really excited about this one. uh for a field that depends so much on experimentation and creativity, the marketization of building is going to be

so increasingly important. And I have many quotes on this one, so bear with me as I paraphrase. First, Glenn shares that everyone now has an infinitely patient, extremely knowledgeable tutor that can ask for help, that you can ask for help on any topic. They can do any research, write docs, and other guides for you. There's never been a better time in the history of humanity for learning anything that you want to do. you're limited only by your agency and your creativity. That was really beautiful. Thanks, Clint. Um, and Will shares that the biggest shift that he's seen is that security practitioners are now becoming builders. Uh, we're no longer just operators of security products, where engineers designing

security systems. Everyone is a builder now, and that's frightening yet exciting. Maya shares that now security engineers code. They're not just telling others what to do, writing policies, writing docs. They're the ones shipping tools. And there's now also more dedicated security tooling than ever before. And Stack Read shares that they perform these tools. They perform research, build infrastructure, code reviews, red docks, analyzes bugs, runs tools, files, builds exploits, and writes way better reports than I ever could. What a time to be alive. And lastly, Matt shares that if AI continues on its current trajectory, we may enter a world where strong security is no longer a luxury good. Security teams will be able to go after classes

of problems that were previously out of reach if they lean in and that has profound potential. And that leads me to my fourth reason which is also incredibly important. That legacy might finally be tractable. One of our biggest challenges in this industry has always been legacy. Fixing security for that new thing is relatively easy comparably. But dealing with that thing that nobody really remembers how it works or that loadbearing piece of infrastructure that has too many dependencies where you're worried if you restart it everything is going to fall over. That's really hard. And we're starting to see some really amazing research uh with companies doing automated legacy upgrades uh that deal with that massive backlog of things that

no one's wanting to touch for years. And Jen shares that perhaps most promising, AI is beginning to take on the hardest challenge of all, legacy code. Much of the world still run still runs on decades old software full of flaws and defects and is maintained through layers and layers of patches. Doing anything about it has long been seen as prohibitively expensive and too risky. But AI tools are now demonstrating the ability to read, understand, and transform these sprawling code bases and to do so at scale. and clean shares. Uh for the first time, burning down a decade of legacy risk feels achievable, not mythical. And so my last my last reason here is that security has never been so well

positioned to be in the conversation from design through implementation. I think that we can pave this from the start. We don't have to bolt on our paved roads after the fact. We're in it from the get- go. And so although it feels like all of these technologies are running really, really fast, they're doing so with a heightened awareness about what it means to do so insecurely. Providers are understanding the leverage to shift left and they are investing in security. These these companies already have relatively sizable security teams and I know many of them are represented here today and they want to get it right from the start. This doesn't mean that it will be perfect, but the foundations

will be there to continue to build on. I think we can put on our construction work hats and start working now uh and pave the way for the future. And sure, it will not be perfect and we're probably not these companies first priority. I'm not that naive, but I'm hoping that we're at least close to second. Sharing here from Will that modern infrastructure forces us to rethink old problems in new ways and that's what makes this moment really exciting. And so, think about that. The last quote that I'll bring in is from Matt and I believe uh that this cover mo covers most of the different things in here. Success in this is not going to be

pre-ordained and it won't come easy. AI has the potential to be destabilizing in the short term. We'll face new threats. Adversaries are adopting these tools too and will become more capable, more efficient and more dangerous. But so will we. It's incumbent upon us to embrace reinvention, experiment and move faster while not forgetting the fundamentals that work. If we get this right, today's security norms will soon look brutally antiquated. And that what that's what makes me so optimistic and I couldn't agree more. However, uh we haven't talked about the most character in the important character in the story. Uh all of you and your role in this. I know that all of this can feel like an insurmountable

amount of change and it really hard to figure out how you fit into this. And I'm going to talk about a few ways in which you can contribute. First, innovation in this field is designed, driven, and supported by practitioners willing to share broadly and loudly. People who help lowering the barrier of entry for others and contribute to the bigger picture. Maybe that's you. Maybe you're holding on to an idea that will change completely how we do security in the future. But please, if you do, share it and share it loudly. Submit to conferences, open source your projects, seek feedback from other people in this community, but don't hold back ideas. We also depend uh every single day on

the work of nonprofits, alliances, and volunteer-driven groups who decide to take on problems that are bigger than themselves or any company. The phto alliance pushing for fishing resistant authentication. Let's encrypt enabling us to move to HTTPS standard bodies search teams educational organizations and local meetups. They are the connective tissue that connects all of us as individuals to the broader ecosystem. Our marvelous uh volunteers all of them here today uh in add who in addition to their day jobs are working to put together events like this one. They are the scaffolding that lets the rest of us build. So, as a former conference organizer and nonprofit um board member, I would like to ask that if you have the

capacity, engage. Uh sometimes all a nonprofit needs is just two hands and someone who can carry stuff, but sometimes you lending their your expertise to them means that they can finally push that standard uh that they've been working on for a long time. So, offer the time if you have it. We al also please sh continue to share information uh when you can. Uh this is most clear in moments of crisis when a new zero day drops or we see a big supply chain compromise within hours defenders all over the world are sharing indicators and they are publishing materials of what they've learned. Sometimes that is through formal channels more often informal ones uh but

the result is still the same. Um sorry ah this is going back and forth. Um one sorry I don't know why this is happening. Uh, one P team's painful lesson uh becomes everyone's early warning. Uh, malicious actors share information too. Of course, they have playbooks and runbooks and they share infrastructure and we have to keep up. So, uh, how are how will you be the type that lifts all ships? Um, when I think about our superpower as a community, it is this. At our best, we are relentlessly willing to learn out loud and pull each other up. And that is going to be increasingly important if we are going to keep up with all the

changes that are happening right now. Please engage in industrywide knowledge sharing groups. Uh learn from each other. Share defensive and offensive tactics. Try to lower the barrier of entry and uh reduce early adopter attacks as you are learning new things so that we can all evolve alongside these new technologies. And in a world where these problems are too big and too interconnected uh for any of us to solve them alone, uh that mindset is going to be everything. But that is also why I think we're all going to be okay because we got all of us in here together. And I think this incredible brain power will collectively make sure that we land in a safe place.

However, it is also okay uh if you don't feel optimistic right now because it can feel really overwhelming. Burnout is real. Fatigue is real. There's a lot of other stuff happening in the world at the moment and you might be scared. You might be excited or worried or optimistic. You might be hopeful or nervous and you might have all of those feelings all at the same time. Part of being part of this community is making space for that too. And when I was discussing this with others, it was clear that not everyone was sharing my optimism. But I think that it is the responsibility of those who feel like they're on top right now to help pull it

everyone else up as needed. And so uh is this optimism uh at least uh we got some good stuff uh and hopefully some of you got of some of my musical references. Uh but to summarize we have done this before and I think that it's the responsibility of some old murky security person to return once a decade or so to remind all of us uh just how much change we have experienced and that nothing is impossible and if we just roll up our sleeves we'll fix this one too. And I firmly believe that there are many more reasons than this that we're better positioned to get security right this time because we are in the

room where it happens. We are invited with policy makers, with governments, but also in top companies. We are designing with humans in mind and so we can use them as our best line of defense. We are focusing increasingly on the things that actually matter so that we can cut through the noise and solve the things that actually moves risk. And the barrier of entry to be part of this community has never been lower. Anyone can become a security expert now. And that's really exciting. And with all of these new security engineers and these new tools, legacy might finally be really tractable. And lastly, uh we are in it from the get- go. Uh and we can pave it from the

start and I would encourage all of you to do so. And so I have a few action items for all of you because like Reed said, you're practitioners, not attendees at this conference. So first and foremost, pick one thing that you can do uh in your sphere of influence that nudges to us towards the better state and think of Bitesf as your own little montage sequence. Please start this weekend. You have two days surrounded by talks, meetups, hallway conversations that are basically designed to help you level up. Maybe this means being intentional uh about how you choose your sessions. Don't just go to the talks that confirm what you already know. Pick at least one

that stretches how you think. Use the breaks in the participant hall on purpose. Uh when you grab coffee and you stand in line, please don't just look at your phones. Uh strike up a conversation to the person next to you. Maybe ask them what has surprised them this far. Maybe what worries them and maybe what has inspired them. If you're earlier in your career, go to the career village or one of the meetups, ask really blunt questions, take notes, and please let people see you. If you're later in your career, go there for the opposite reason. Share your learnings, maybe some of your past mistakes so that those folks don't have to learn the hard

way. And then uh as you move through all of that, don't just let all of this wash over you. Please spend 5 minutes sometime today uh write down something concrete that you're going to bring back with you. And a final thought for me, we might look back at this time and say that was really chaotic, that was really scary, and that was exhausting, but we got through it. And our interconnected ecosystem, our organizations, and the people who rely on them uh ended up safer because we stepped up to the challenge. And we're going to be really proud of ourselves and of each other. and our community for everything that we built together. We did it and we made a difference. Or some

murky old security lady is going to stand at a conference in two decades and remind everyone that this happened because it's just a default now and we have another challenge in front of us. But so to bring this back to the musical theme, um we are not just characters being uh dragged along by the plot in this one. We are collectively the writers, the directors, the orchestra and the stage crew. and we get to decide what kind of final act this is. And so with that, thank you everyone and thank you Besides San Francisco for allowing me the time. Let's do this. like this. >> Let's hear everybody. You guys are all here. And if you're on, you can find the time

war.