October 2012 - Lean Security


It has been said "information wants to be free." A corollary to this could be "security wants to fail." And fail it does, time and time again. Security projects are often unsuccessful because of bad processes, misconfigured technology, and resistant employees. Traditionally, we solve this problem by tightening the screws, but is this right or does it just make things worse?

By exploring ideas from Agile Development, Lean Manufacturing, Psychology, Economics, and Complexity Science, this presentation explains why we are in the mess we are in and how we might get out of it. It discusses why constantly improving "better practice" is better than "best practice," why focusing on learning is better than focusing on checklists, and why expensive technology is seldom a good security solution. Finally, it discusses systems issues and why so much of our time is spent fighting ourselves instead of the bad guys.


Josh More - Senior Security Consultant, RJS Smart Security

Josh More has more than fifteen years of experience in security, IT, development, and system and network administration. Currently, he works as a Senior Security Consultant for RJS Smart Security based in Minneapolis, MN. Josh holds several security and technical certifications and has served in a leadership position on several security-focused groups. He writes a blog for RJS Security, often taking a unique approach to solving security problems by applying lessons from other disciplines, like Agile Development, Lean Manufacturing, Psychology, Economics, and Complexity Science.

He is very active in the information security space and has presented to local ISACA chapters, OWASP, ISSA, and Linux User Group (LUG) events, as well as other conferences throughout the United States. Josh has also run the Iowa Infragard and Iowa Linux User Groups.