Esteban Gutierrez - Security as Nurturance - BSides Portland 2018

Esteban Gutierrez (@apebit) The infosec industry is plagued with language borrowed from the military culture. We see this in many products and tools sold by security vendors, the processes we use to do security work, and the ideas and theories used to advanced and grow the discipline. I describe this as working under a metaphor: “Information Security is Warfare.” Unfortunately, we see infosec programs fail people and organizations time and time again. Systems are either not built or configured safely or don’t get patched, code develops vulnerabilities, people get phished, credentials get compromised, and people lose time, money, and sanity from having to deal with the fallout. I see this as the result of working under the influence of the warfare metaphor which causes people to see things in way that are adversarial, zero-sum, and controlling. This talk describes how a new metaphor, “Security is Nurturance”, when used as a goal for a security team flips the traditional paradigms of the security industry and influences new outcomes. When we use this metaphor to inform our approach to how we do security, security goals become less focused on locking access down, building DMZs & firewalls, or rotating passwords (and other adversarial methods) and more focused on processes to help grow the businesses and empower employees with knowledge and accountability. I will talk about a few solutions developed by security teams that exemplify the metaphor, how this metaphor aligns with values focused on enabling people to do what is valuable to them and a call for change in the information security industry. Esteban has been warily working in Information Security since before the .com bust of 2000. It shows.