It has been said “information wants to be free.” A corollary to this could be “security wants to fail.” And fail it does, time and time again. Security projects are often unsuccessful because of poor/no process, mismanaged technology and resistant employees. Traditionally, we solve this problem by tightening the screws, but is the most effective approach, or does it just make things worse? By exploring ideas from Agile Development, Lean Manufacturing, Psychology, Economics and Complexity Science, this presentation explains why we’re in the mess we’re in and how we might get out of it. It discusses why constantly improving “better practice” is better than “best practice”; why focusing on learning is better than focusing on checklists and why expensive technology often fails to actually solve security problems. Finally, it discusses systemic issues and why so much of our time is spent fighting ourselves instead of the bad guys.
Josh has over fifteen years of experience in IT and information security. Josh’s current role is as a security consultant, and he has previously filled roles as an application developer, system administrator and network engineer. He holds several security and technical certifications and has served in leadership positions on several security-focused groups. He writes a blog on security at www.starmind.org and www.rjssmartsecurity.com. Josh’s current initiatives are focused on applying lessons from other disciplines to security practice. Josh More leads RJS Smart Security – a security consultancy focusing on smaller organizations looking to improve security without losing flexibility.