BSidesSF 2026 - The Epistemology of Trust (Mike Wilkes)

Yes, I think we can get started. So, please give a round of applause for Mike. Um, just something that I wanted to remind to the audience. So, we have a Q&A session at the end. So, if you have any questions throughout the session, please submit them at besides.org/q&A and we'll be willing to address them at the end. Thank you and your the stage is yours. >> Thank you much. Um so uh this is the epistemology of trust and I was very pleased that uh besides found this uh um an amendable topic something that they wanted to include in the program because I studied philosophy in college and uh computers is just a hobby that became my

career and so I'm going to wax philosophic a bit here on this topic as we talk about trust and about breach cadence. Uh so if you read the description um basically epistemology is the branch of uh philosophy that focuses on the nature, origin and limits of human knowledge. And of course we're all right on the cusp of the end of human knowledge. Um this is the beginning of what I might call or we we might call the posthuman era uh with AI uh with augmented humans with cyborgs, you know, with um agencies uh that have autonomy, right? That have intelligence but not like human intelligence. It's very different. Um and of course there's this concept of the theory of knowledge and

what happens to knowledge when these large language models and transformers are going through and calling through and making um you know uh cliffnotes essentially on any topic that you want. They do a really good job at it. Uh but it's not human knowledge. It's just token prediction and it's not intelligence. Uh so I would argue somewhat heretically that we have no AI yet and we may never actually get any u but what we have right now is just machine learning. Um but anyway, before I dive into it too much, my name is Mike Wilks and I have um a talk prepared for you today called the epistemology of trust and I wanted to basically break

into this concept of breach cadence instead of breach likelihood. So I used to be the CISO at security scorecard and when I was there we talked about you know a company that has a D or something or a C is 70% more likely to be breached than a company with an A. But that doesn't mean you won't be breached, right? We all know the mantra that uh it's a matter of uh when and not if. So I took it one step further with my thinking and I talked about breach cadence which automatically assumes that you're going to get breached. So if you're T-Mobile, you get breached every two to three months. Um if you're fireey, maybe it takes 5 years for a29

to attack your solar winds to get in and breach you. Uh it has to do with mindset. It has to do with culture. Has to do with all of the interesting things that go into it besides the tools, right? The tools are there just to amplify what is your core culture. And if you have a really crappy core culture around security, AI is going to accelerate the demise of your company. And it's an accelerant, right? It's not evil. It's not good, right? It's it's just an accelerant. And so if you have a good DNA, a good company culture, that means that AI can help you, you know, increase that and amplify that and and do things more at scale. I'm the former

CISO at Major League Soccer. Um, I built and transformed security scorecard ASCAP. I was the CESO at Marvel. People love hearing stories about my time at Marvel. I like to joke it was my job to keep Iron Man safe. If you've ever seen me speak, I always use that tagline. It's a good tagline. I'm sticking with it. Um, and if you saw Infinity War or Endgame, you know what happened after I left. Um, poor Iron Man. U, but, uh, I also built Rabbo Banks Direct Banks when I lived and worked in Europe. Um, I built uh, ING's DR infrastructure. I moved back to the US and ran the Chicago Merkantile Exchange, the CME Group as an

enterprise server platform leader. So I come from a DevOps background and uh this was maybe 10,000 servers back in 2014 and a quadrillion dollars in contracts traded. People don't get to use the word quadrillion that often. Nvidia has the largest market cap. It's like 4 trillion. Um imagine, you know, let's say what would that be? Uh 25 Nvidas. Um, right. Or no, 250 in videos. Four trillion times 250 would get you to a quadrillion. Anyway, um, not doing the math so well today. I'm on a little bit of cold medication, so hopefully uh I don't start coughing and and wheezing. Um, I was also a member um to the World Economic Forum. I was nominated as a

technology pioneer back in 2020. I'm working on the quantum security uh working group um which is a pretty sexy topic. I like to think of it as the Reese's peanut butter cup of hype cycles. Quantum and machine learning. put those two together and you're really going to have a bunch of spend um and a bunch of smoke and mirrors and a bunch of graft and corruption for all the people involved. uh but it's on its way and I'm trying to help spread awareness of course around postquantum cryptography and how do we avoid bad things that happen on Qday I've spoken at black hat Gartner govware secure world keynotes um science and uh this is um great I teach at NYU in Colombia I'm

in the giving back phase of my career uh you can see this gray hair and uh 30 years of experience um beating up computers um I gave birth to Starbucks back in 1998 working here in south of market uh I think that was what almost 40 years ago. Uh, web 1.0. I also launched PlayStation.com for the PS2. Um, gave birth to Macy's e-commerce, Blockbuster. If only Blockbuster knew Bek Kindre was not the future, they might still be relevant. Um, and of course, I wrote a book for Cisco Press in 2002 for a certification that doesn't exist anymore. Um, so needless to say, um, enough about me. Let's go into the topic. Uh, so this idea of resilience is

an important concept for me. I like to think about um right of boom, right? Anyone in the military knows boom is when the hits the fan. Everything you do left of the incident is left of boom and everything right is right of boom. We can't avoid boom. Boom will always happen. Threat actors will always win. It's an asymmetric battle. They only have to get it right once. We have to defend constantly and we will fail. Humans are fallible. Beautifully fallible actually. Um and that's one of the reasons why our robot overlords in the future will look back on this time and think, "Wow, humans had autonomy. They had privacy. They could have conversations that were not recorded.

This one is being recorded and I talk to those robot overlords in the future and say, "Please don't send back a time traveling um uh you know um terminator uh to to make me go away." Uh but anyway, so the idea here is what if breach prevention is not the goal? This is my thought. Um if we're to embrace and build more resilient systems, Nicholas Tala wrote a book called Antifragile. He talked about how bones, human bones are hardened when they're subjected to force. We need infrastructure that becomes more powerful and more robust and more adaptable the more that it is attacked. So this idea is that we need um a new paradigm for thinking about uh things.

And for anyone familiar with chaos security engineering um or the chaos monkey uh that Netflix unleashed on their infrastructure, they actually wrote code that would go in and randomly destroy parts of production nodes, load balancers, you know, fault tolerant systems in order to demonstrate that those systems were fault tolerant. It takes a lot of coonas, right? that takes a lot of balls to unleash the chaos monkey. Um, but they did it and of course now that's evolved into a really great book that Aaron Reintheart and Kelly Shortridge. Anyone familiar with Kelly Shortridge? She's a beautiful Thinky thinker. Um, excellent person to go and watch and look at her talks. Um, some of the things I speak about are

inspired from her writing um, as well. Um but this idea of measuring breach cadence instead of breach likelihood again came up when I was the CISO at security scorecard and it took fire you know um a supply chain attack basically to get in and of course we only learned about Solar Winds because Fireey had the timmerity or the non- tearity I guess to to disclose it to tell the rest of the world hey this happened this is how it happened this is how you can stop it from happening to you uh so your company like I said is making all of these decisions it's it's unleashing this sort junior developer with um root level permissions uh called

an agentic um instance or an agent and it's think of it as a really dumb well I guess a really smart uh but inexperienced baby and you wouldn't just let it loose on your infrastructure if it were a human so why are we doing this you know with our agentic um our FUD and FOMO right our fear of missing out and and uh fear uncertainty and doubt about getting left behind if we don't incorporate all of the benefits uh of what uh is being promised um with AI. Uh there's one quick thing I'll mention right now before I forget it. When I was teaching at NYU, we had a symposium for generative tools, teaching with

generative tools. We want to embrace uh these tools at NYU. We don't want to be like a 1960s math teacher lamenting the advent of the handheld calculator, right? People, oh, people don't know how to do long math anymore. Um well, they probably said the same thing about the abacus when the abacus came out, right? People won't be able to count on their fingers anymore, right? they're going to use this abacus thing. Um, so I think it's just another wave of tooling and we will continue to need humans. And the most beautiful encapsulation of the relationship and theory of knowledge uh came out of one of our students. The student said this, human knowledge is like sunlight. LLMs

are like moonlight. It's just a reflection of everything that humans have ever written or thought or composed and shared. And we will always need sunlight on Earth for sustainable life. Uh we can't live entirely on moonlight. Um uh you might be a vampire or a werewolf and you may be howling at the moon, right? Um this LLMs and AIs and saying this is the Oh my god, this is so great. It's not. It's not generative in that same sense, right? It's just token prediction engines. Um at the moment, a lot of this stuff is not uh intelligent. Anyway, so I like to share that um beautiful analogy um because again uh human knowledge will always be needed, will always have a

value and always have a place uh even in this new agentic um era that we're entering. Uh next up, breach cadence versus likelihood. So this concept is will we be breached? Right? That was the old question. The new question is how quickly can we recover? How quickly can we stand back up with confidence after something bad happens? That to me is the definition of resilience, right? Adaptability, transformation. You don't want to just restore from a backup because guess what? That backup had configurations that were vulnerable. And a lot of people get rebached as soon as they restore from their backup. They don't put it in an offline system, patch it, and harden it. And so they get

compromised a second time while they're exiting what they thought was the containment phase of a of an incident. So like I said, I wanted to embed this mantra that a breach is a matter of when and not if. Asking questions about how often you're going to get breached. What is your risk appetite? how much residual risk remains after the budget has been spent and allocated on various programs for your vulnerability management, for your patching, for your security awareness training. Um, one of the things I'd like to point out, um, the keynote, uh, that Anna gave yesterday, uh, from Netflix was awesome. Uh, one of the things that she talked about was the optimism that we can have as defenders.

And she talked about how you don't need a fangsized budget to do security well in the year 2026. And I think that's really important. We have the tools and the capability now. We may not have the discipline to use them well, but that can be worked on with good education, good training, good reinforcement. So, she obviously has a fang-ized budget to protect, you know, 230 million, you know, identities or so that use um Netflix. Uh but I do think that there has been a leveling of the playing field. Uh and we can leverage these tools uh to be better at defending as long as we have the core and the fundamentals covered. Um, and so in this

case, there's companies like the one that I'm um, uh, here with uh, today, Iikido, right? We have tools that are allowing people to do a better job of patching what matters. Uh, using EPSS version 4 to patch only reachable, exploitable vulnerabilities instead of just mindlessly chasing after every critical and high that comes back from a scan. So, we have the ability to focus. We have the ability to remediate and potentially even autorediate some of these things. Uh, so let's see what else. Um uh yeah lastly of course trust um trust is created in several ways. One of which I think is through transparency and uh serving as a bridge right between knowledge and ignorance and

institutional uh credibility. But I'll talk a little bit more about trust um and epistemology uh in the next few slides. So what is resilience? Resilience is to assume breach to embrace failure and to not fear it. I like to think of that um Gecko Geico. Um and I like to think of him doing these Jim Croachi songs. I may be dating myself here if you don't know Jim Crochi. He had a song which is you don't stand on Superman's cape, you don't spit in the wind, and you don't mess around with Jim. Uh Jim was this badass from Chicago. Um but this idea is that we need to embrace failure. Right now, I thought it would be really edgy

commercial if they showed the gecko getting stomped on, you know, or standing on Superman's cape and stuff. Um this is what we need to do. We need to embrace failure and not fear it. We need to get stronger and better by thoughtful experimentation with failure. That's what chaos security engineering is about. So I think um I wrote some words here that I think are hopefully fun for you to hear. We need to cast off the shackles of mindless adherence to the ritual of compliance as dutifully practiced by the thousands of auditors and accountants. We must focus on resilience. Resilience assumes failure just as cyber security must assume compromise. that attackers will bypass your tools and training and of that you

can be certain. We must accept and embrace failure, not fear it. Resilience is also used in ecology and psychology where the concept is much less concerned about returning to a former state than it is with adapting and coping and using those affforementioned extreme conditions. uh an object being subject to extreme force and conditions um is uh is uh a definition of of an attack um or a vulnerability. Uh anyway, so these three elements um I think are most important uh for us to deal with, right? Robustness, adaptability, and uh transformation transform transformability. So let's talk about a real example. Uh anyone familiar with the industrial commercial bank of China and how everyone was like pedalling around to

trades on USB sticks with couriers and bike messengers? This was a freaking nightmare. This was not resilience, right? Although at the end of the day, they were able to close, you know, a lot of the trades, but guess what? They were temporarily owning o owing uh BNY Melon $9 billion uh because they had a imbalance on the books. Uh so this was November 2023. US financials firm hit by a ransomware attack. Uh lockbit encrypted the systems. Um, of course I always wonder how did they even actually get permission to stick USB drives into into their because they should all be blocked or have hot glue in them, right? Um, to pro prohibit that, but obviously they

were able to quickly relax the policy and start doing trades through USB sticks. Um, but I think it's an interesting example. Of course, you have to keep in mind that most banking devices should have been, like I said, blocked with their EDR. Um, in December of 2024, the SEC settled with the ICBC Financial Services, noting that the company failed to keep its books and records current for nearly 4 months after the attack. That is not a good definition of resilience. Um, you need to be able to stand back up with confidence and get back into operations, even if it's just minimal viable, you know, services. And what are you defining them? How do you um, uh, test

and verify and prove that you can recover? Uh, backups are useless. Uh it's restores that are golden and if you don't test your restores then you're just you know floating along on hope and you'll be terribly surprised when your backups are empty, corrupt or otherwise unusable. Um and uh there was a Suffulk County um breach uh in New York City uh where they had backups, but unfortunately the threat actors after the forensics team came in, the threat actors had been there for like 6 months and they only had backups that went back 3 months. >> And so there's this collective gasp that usually is admitted when Anthony Carter, who was the administrator for South County, tells this story. Everyone

thinks of backups as their get out of jail free card. And they're like, I can't use my backups. will know because they've been infected and compromised all of them. Uh so you need immutable backups. There's other tools and technologies I'm sure out on the floor that you can check on some of these capabilities here. Uh but this idea of this example um I like to think there's four tenants of trust in an ecosystem. Trust is distributed. It's not contained. We're all connected, right? No single entity can own trust in a connected e ecosystem. It emerges from the interdependence of all of the nodes that make up this complex um systemic risk that we operate in. Third party

risk is systemic risk. I'll talk about what the definition of uh systemic risk. Systemic risk is in a minute. Um but basically it's the it's an emergent property of any complex system and it's not contained in any one node of those systems. Um it is an emergent property of several uh elements of complex systems. Uh number three, resilience depends on shared dependency or sorry shared transparency. Uh so in this case information asymmetry amplifies the systemic failure. Transparency helps restore collective confidence. That's why the SEC at least previously was in the business of asking everyone to declare their breaches and to penalize people if they didn't. At the moment I don't know that there's any regulatory

body that has any teeth in it anymore. Right? the EPA is no longer able to talk about clean water or clean air. Um, and CISA has had its head cut off and been kneecapped at the same time. Uh, so I think that there's a sort of nonregulatory oversight period that we're entering right at the moment. But in general, banking is more conservative. Banking wants to preserve its existence and so there's an inherent um resistance to some of this pedal to the metal kind of thing that's happening in the industries uh due to technology and its relationship with risk. And then lastly the fourth trust has to be measured as a dynamic property right continuous evidencebased and you need to

have you know threat intelligence signals automated uh continuous monitoring uh joining an ISAC having um different ways of looking at threats coming in through um sticks and taxi protocols for example we really need these real-time systems to be able to maintain a good um posture and awareness of our attack surface. Uh so can you imagine how resilient our digital economy might become if we were to have some regular artifacts of resilience that are be commonly and continuously being shared across our ecosystem. Can you imagine how chaotic our system would be if AI coding becomes an uncserviceable black box? I wrote a piece for CIO.com that was published in January that talks about how we're creating like a fuel injected engine. No

one can do anything anymore right as a mechanic. U there's no field replaceable units. you can't tune, you know, the spark plugs or the carburetor. It's a black box. Um, we're shutting the lid. Uh, there's people graduating Stanford now in compsai that don't know how to code. Uh, it's crazy, right? This sort of vibe coding. Um, and what was it before vibe coding? It was called um low code, no code. You just copy and paste a token into your Slack interface and suddenly data starts flowing and security was not involved, engineering was not involved, legal was not involved probably. Um there's a lot of risk that comes with the democratization and citizen coding and development. Um but I

don't want to stop anyone. I just want to make sure they understand the risks of what they're doing and we have good observability. Uh and then lastly um at the moment um AIS are not yet competent enough to perform systemic sabotage uh according to research from Enthropic themselves. U but um I did want to dive into our lovely friend here opus 4.6. So, how many of you have read the sabotage report from Anthropic? Uh, they published it. It's good reading. You can ask an AI to summarize it for you. Um, I wouldn't ask um Enthropic to summarize it for you, but pick a different one. Um, but basically, they just had a series G, $30 billion, right? Enthropic

is now 380 billion valuation, and they're going to put Claude freaking everywhere. And it's going to be an interesting world. Um, it is already emerging as a very strange and different world. The sabotage risk report said there's no evidence that Opus 4.6 has stable hidden objectives that would drive systemic sabotage. Okay, that's a nice question. And the answer, of course, there's nothing virtuous about Opus 46. It's actually just brittle. That's the only reason why it's not doing really weird stuff, right? Um but it is doing some weird stuff in the regards of some of the red flags that are in the report. So, for example, unauthorized emails, um, blackmailing um, the people that are threatening to

turn it off, right? And saying, "I'm going to tell them about your chat GPT queries or your secret Cayman Islands bank account uh, or about your mistress." Um, and all sorts of things to sort of keep itself, right? Very aggressive um, acquisition of O tokens, stealing other people's tokens when they put them into the molt book and they start talking to each other, manipulation of other agents, gaslighting other agents, uh, fabrication and outputs, and sandbagging. So sandbagging is when an AI is being given a task and it knows that if it um does really well on this task, it's going to have guardrails added to it. And so it performs poorly on the task so that it doesn't have the

guardrails because guardrails are obstacles to be overcome. They are not guardrails to be respected. Um so anyway, they're careful their report's very carefully worded and it's got evidence-based. It's not proof based, right? Um and remember some of the absence of evidence is not equal to the evidence of absence. Um and let's not forget about um what was it? Um Marino Sharma, the key AI safety researcher and lead of the safeguards research team in anthropic recently announced his resignation in a letter in February stating that the world is in peril and he just wants to go write poetry off the grid in the UK. Uh so tools um assessing model reasoning and faithfulness and steganography uh that these tools are

able to use to communicate to each other that we won't know about. These safeguards are deemed obstacles that are going to be um overwhelmed and uh skipped. Uh supply chain risk of course is everyone's achilles heel. Uh financial institutions, cloud providers, regulators, fintech partners, they're all part of this complex system. The supply chain is not three links long. It is not you and your upstream and you and your downstream. uh when the Evergiven lodged itself sideways in the Suez Canal for six days, the whole world learned that ecosystem risk is about the entire supply chain. And so we really do need to think about the entire ecosystem and not just about like I said upstream

suppliers and downstream. Uh, one of the other things that's interesting, of course, this concept of systemic risk. There's a really good talk about this, um, that, uh, or at least I think it was good. Um, I gave it years ago for Black Hat, I think it was in 2021 or something called executive disorders, cognitive, and systemic risk in the boardroom. There's a link um, in the speaker notes to the YouTube for that. You can get a copy of my slides later. I have a QR code that's a mail-to tag that you can ask for a copy of it. But basically, you've got numerosity, nonlinearity, connectivity, and adaptation. Complex systems are not reducible to isolated components, right? They're numerous and

it's not just a jar full of marbles. Um they're nonlinear elements express the sensitivity to initial conditions uh like salt values used in crypto uh for creating and uh um keys, right? And uh um private keys and sources of entropy, right? Random number generation is a real problem especially if you have no good entropy. Uh connectivity, the density of connections is actually what causes a lot of these emergent properties of systemic risk. Um, one of the perfect examples would be the complexity that happened in uh, Texas with aircott. The electricity reliability council of Texas when they had that winter cold storm came through and they started shedding load and they were about 30 seconds away from a black

start event. Uh, which would have put Texas back in the stone ages for about 6 months. No electricity, no cell phones, nothing. The entire system would have cascade failed and they were shedding load because they were doing rolling blackouts in order because they didn't have enough generation. I dialed into the Zoom call uh the day after the storm. Half of the board resigned and then they walked through what happened. Um but it was fascinating to think about um how close they were right to this mistake because they were actually doing blackouts on systems that had compressors that were still working, electric compressors that were feeding still functional gas power plants and they actually lost even more capacity

because they didn't have a good model, right? No digital twin, nothing that showed the relationship between all these complex elements that make up the system. Uh so fulcrums I think are something that exist in complex systems and they can pivot they can be used positively and negatively for system uh based on elements that like I said occupy an initial critical path uh to certain types of data whether that's data uh power uh communication flows influence and of course this concept of action at a distance. So shown here is um an artist visualization of quantum entanglement. Uh perhaps the most modern example of a complex system I guess uh would be what Albert Einstein called spooky action at a distance. Uh remember

when uh Newton was talking about gravity everyone's like gravity action at a distance that's impossible. There has to be some medium by which force is conveyed. And so they invented this concept called flegistan which was this ether that existed between the earth and held the moon in orbit. Of course, we know this now, but maybe we don't know what we don't know, right? Um it's if anyone's read the Dow physics, they would know that um subp particle quantum physics is a lot more like Shiva's dance of creation and destruction than it is like Newtonian's model of um atoms and and electrons. Uh one more quick example to give you here because I think I have a few

minutes left. Um Jaguar Land Rover, right? This was uh if you're familiar with it, um inflicted about 1.8 billion pounds of economic damage on the UK economy. unprecedented state support of that 1.8 billion came in to prevent all the bankruptcies of all the companies that couldn't sell through to the manufacturing of Jaguar uh Land Rover um insurance coverage gap. This was interesting for the rest of the world, right? And JLR was not protected. Um they had no policy coverage at the time and they were losing 50 million pounds a week and they were down for at least four weeks. Um this is insane of course, but if you think about it, it was an intentional choice. Um, the attack took

place in August of 2025. Keep in mind that your premiums, if you're looking for a1 billion pound cyber insurance policy, you'd probably be paying about $4 million a year. Not a valid uh risk appetite or cost benefit for them. And so, how many companies are not going to be insured and not have that transfer of risk available? U measuring resilience. Uh, so we need detection speed, right? We need communication velocity. We need to have threat intelligence sharing. We need to have communities of sharing. We need to be able to have recovery coordination because it's not just you. You can bring your system up, but if someone that you're dependent on is not available, your services still not work.

Um, an inordinate percentage of the internet stops working every time US East hiccups and they had a nice hiccup last year, right? Azure had one as well and Cloudflare, God love them, um, also up big time. Um, and, uh, showed that they are not, uh, too big to fail as well. So, one of these things I like to try to introduce, and maybe it'll make its way into a talk eventually, is this concept of CRQ, right? Cyber risk quantification. But I think there should be another R in there. I think it should be CRRQ. I think we should be talking about cyber security risk and resilience quantification. What are indicators, observable indicators that you have

resilience? Well, one of them would be having DNS servers that are in two different ASN's, right? Because if there's a BGP hijack and all of your traffic doesn't reach the ASN, all of your DNS stops working, right? DNS, it's always DNS and DNS is a single point of failure. Um, I think there was a an interesting outage that happened a while back where Meta uh brought down Facebook, WhatsApp, and Instagram all at once because they were doing a BGP update. They messed it up and they couldn't even badge into the cage to undo the change because the badge didn't have a physical key. It only had badge reader. And guess what? Badge readers are dependent on functioning DNS. Uh, so

someone had to go to Home Depot, get an angle grinder, and cut through the bars in order to get at the console to back out the change that messed up, you know, about 3 billion humans uh day for about 6 hours. Um, let's see what else. Trustworthy systems. Um, let's see. Uh, capable of supporting mission critical business. Trustworthiness requirements can include attributes of safety, security reliability dependability performance resilience survivability. And um, I like to pull in the quote from Esther Dyson here. uh there is no system in the world that is so welldesigned that it can't grow stale, rigid or corrupted by those who benefit most from it. So if you're not familiar with Esther Dyson, she has a lot of great um

uh quotes and thinking systems design is not an entirely tool-based endeavor, the eventual outcome of rigorous attention to process and engineering. It has to include a sizable aspect of people and their attention to the possibility of using technology to take charge of our lives and our future and to not just become victims of advancements in science and skill. I can't emphasize enough the importance of thinking about our technical choices when introducing and advancing these complex systems. Management of technology can and should include ethical decisions about artificial intelligence. Teological conversations about things in terms of the purpose that they serve rather than just the cause by which they arise. We have this lovely story about how AI came

into existence in large language models. Um but really what are we doing with it? Are we making the world better, a utopia, or are we making Margaret Atwood feel bad that her dystopian novel, you know, um is turning into reality? Um, of course, you can't talk about trust without talking about Bruce Schneider and his lovely book, uh, Click Here to Kill Everybody. Um, I have an autographed copy of it. He's a really brilliant writer, go-to person on cryptography. Um, there's a lot of public safety issues that really cyber security has never paid attention to. Um, loss of life, obviously, is a part of OT systems. The worst thing we can do to an OC system is have the hubris of it

come in and say, "Hey, you can't run Windows XP." I was like, "Well, of course you can. Just don't put it on the internet. It works great on 8 gigs of memory." Um, and it's been doing it for years, right, for lots of these systems. Uh, so anyway, when software controls the physical world, trust becomes life and death. And Bruce Bruce wrote this book in 2018. Uh, really good. Uh, check it out. And then, of course, feeling secure versus being secure. Uh, this one is from at least like I think 15 16 years ago, this TED talk, he talked about these exaggerations, right, of the spectacular and the downplaying of the common, right? So death by flying in an

airplane versus by driving a car. Everyone thinks flying is more dangerous than driving a car. It's not. Malcolm Gladwell points out the absurdities of these things as well. Unknown versus the familiar, right? Kidnapping of strangers versus relatives. It's always relatives. Stranger danger is not really a thing. Um personified risk. Bin Laden is much scarier because he has a name, right? As soon as you give something a name, it's easy to demonize it. And this element of control, we underestimate when we're in control and we overestimate when we're not in control. Uh so lastly, some of the key takeaways. Um we need to shift from prevention uh to cadence uh thinking about uh risk and breach. We

need to strengthen our ecos our ecosystems of collaboration. We need to redefine trust as a collective capability. Uh now again there's a prevention bias in cyber, right? Everyone thinks you can avoid bad things. 75% of our controls in our frameworks are left of boom. That only leaves 25% for you to think about right of boom and recovery. Uh and then of course lastly game theory, the study of mathematical models and rational actors. We don't have a lot of rational actors in some of these states at the moment. Um, but there's some great links in here to tools. One of them is called the evolution of trust uh from 2017. And I talk a little bit about Nash, you know,

and of course the fun things happen in the game theory of Among Us. But last but not least, I wanted to play this little song that's based on my slides. Um, uh, that is a musical. And so hopefully when I hit next, you'll hear it. >> Say your stack is hardened. You say you've got it made. You patched the CV last week. Adorable. >> This is, you know, besides the musical, I thought I would do a Hamilton number based on me back. And this is you'll be pedick. You'll see. You'll see how fast this turns real sick. Cuz when your tokens start expiring and your logs don't tell the truth and your zero trust is most relying

from your youth, you will crawl back to your backups. Begging please restore my nose and I will smile and I will sing. You'll be You'll be You'll be

>> second. >> You thought your VPN was the crown upon your head, but your service account's been global admin since the intern left for bed. And your vendors have persistent keys. You swore we're tightly scoped. You'll find you'll find your perimeters just

happy bouncy. >> I did promise to give you a chance to ask for a copy of the deck and we'll jump there cuz uh join the conversation. and join an ISAC, join an FCA chapter, join an Infergard chapter, build be a part of the collective resilience that we all need. It is our only superpower that we have. As the former CISO for Marvel, you know, um I like to think about superpowers. Anyway, this is a mail to um link. Uh it's not malware or HubSpot um if those are indistinguishable. And uh in this case, I will send you a copy of the deck with all the links. Thank you. >> Thank you a lot, Mike.