Presenter:
This talk argues that security programs break down because organizations don’t align security decisions with how the business actually operates under pressure. Plans look solid on paper—but fall apart when real-world constraints, trade-offs, and time pressure hit.
Key takeaways
- Plans don’t survive reality
- Strategies assume ideal conditions
- Real environments involve constraints, shortcuts, and urgency
- Under pressure, teams revert to what keeps operations running
- Business priorities override security
- Uptime, safety, and revenue come first
- Security controls get bypassed when they interfere
- Risk is accepted in the moment—often without visibility
- Decision-making is the real control plane
- Security outcomes are shaped by human decisions
- Not just tools or architecture
- Poor decisions under pressure create exploitable gaps
- Trade-offs are inevitable—and unmanaged
- Security vs. availability
- Speed vs. control
- Efficiency vs. resilience
- Most organizations don’t formally account for these trade-offs
- You have to design for failure conditions
- Assume things will go wrong
- Build processes that hold up under stress
- Train teams for real-world decision scenarios, not ideal ones
