Many of the poor security stances we see are the result of security paralysis. We’re presented with two options, being insecure or being secure, with little understanding of how to get from one state to another. With APTs, 0-days, logoed vulnerabilities that make us think we’re all gonna die, and the difficulties understanding these and other security subjects… Many of us choose to just work on other areas of our environment that need our attention because it’s not like there’s not enough work to do. Why bother investing your time and effort into something you don’t feel you can do well?

But security isn’t a single state. It’s an iterative process that adapts to your needs and risk profile. This session will take people through the process of going from bad to better today in a way that they can then reapply to improve again tomorrow. We’ll walk through the security topics that we obsess about and contrast them with the ways many organizations are actually breached. From there we’ll evaluate our risks, analyze our constraints, and finally apply this mode of thinking to make a bad situation better even if still not perfect.

You won’t walk away from this with the knowledge to prevent a breach from a determined state sponsored adversary. But you will walk away with an understanding of evaluating your risks and needs, evaluating paths forward, and finally performing action to make forward progress that you can apply to a nagging security issue in your environment.

Tom is an infrastructure engineer turned community engineer at CloudZero. He uses his engineering experience to engage the community and provide insight into new and interesting ways to view