My #blackhat keynote () in a tweet thread.

I spent years focusing on the technical offense: red teaming, pen-testing, and security research. I felt that it wasn’t having enough impact, so pivoted to defensive security engineering.

I learned 3 key lessons:

1. We should reverse engineer our “jobs to be done” by talking to our internal “customers” and understanding their struggle. Every security role can benefit from more customer orientation and understanding of those impacted by our work.

2. Seeking and applying leverage through better feedback loops and delivering software will help us better scale to meet our challenges. Software and data science are force multipliers that we should all strive to fully embrace.

3. Culture is much more powerful than strategy, which is in turn much more powerful than tactics. Changes to culture precede improvements in results. There is a lot of important work for us to do here in how we engage each other, our orgs, and the societies that we serve.

It’s scary to say “yes” to something risky. But fear is a poor guide compared to risk-prioritized analysis. We should strive to overcome fear.

In conclusion, if we start more conversations with “yes, and here is how we can help,” we increase collaboration with those around us.