On Strategy

Explore a comprehensive strategy for implementing effective security measures in small to medium-sized development teams through this insightful conference talk by Eleanor Saitta. Gain valuable insights on how to approach security as a collective responsibility, develop a unified strategy, and coordinate efforts across the organization. Learn why starting with technical work is important, but not sufficient, and discover how to teach teams to view security as a whole-systems outcome. Delve into topics such as risk assessment, cost considerations, security compliance, staffing, and when to engage consultants. Understand the relationship between security and other organizational aspects, and acquire practical tools to enhance your team's security posture. Whether you're an engineering director, a startup's first security hire, or a consultant, this talk provides essential guidance on building a robust security framework for your development team.

Introduction
Who is this for
What is security
What is strategy
Risk
Security Outcomes
Incentive Alignment
Security is not about computers
Exposure tolerance
Maturity level
Tech debt
Brooks law
Compliance
Governance
Metrics
Blameless Engineering
Designing for Human Error
Teach Systems Literacy
Responsibility for Security
Do not be a gatekeeper
Engineering principles
Capability is a liability
Two different systems architectures
QA matters
Hiring vs consulting
Buying security
Threat intelligence
Platform choices
Separation of concerns
Segmentation
Redeploy
Autoscaling
Trust Chaining
Automation
Observability
Legal
Security Books
Questions