I had a great time attending - and speaking - last week at SREcon25 Americas!
2025-04-22 Update: a video of my talk is now available on my presentation page.
This was my second time at SREcon (in person), and once again I enjoyed both the talks as well as the conversations I had with other attendees. I also got to meet and reconnect with fellow members in the newly formed Resilience in Software Foundation.
My own talk, ‘Is the S in SRE for “Security”?’, went well, and I got positive feedback from people in attendance, including one person who went to my session by accident! The one thing I’d do differently next time would be to have a stronger call to action - if you are part of either a Cybersecurity or SRE team, my challenge to you is this: get to know your counterparts, learn about their work, and bring your unique skills to help them with their mission. I truly believe organizations will be better off if SRE and Security teams have a combined approach to inventory, configuration, patch management, observability, incident response, and testing.
Thanks also to the Minneapolis CNCF Community, who invited me to present a preview of my talk. Your feedback and questions helped make SREcon a success!
Abstract
There is significant overlap between Cybersecurity and SRE; understanding and leveraging that can improve the performance of both. Lessons from safety science tell us that security and SRE come through being successful more often, not failing less. Research in DevOps, Software Security, and elsewhere shows a strong link between different types of organizational performance, including development, operations, SRE, and security; in many cases, organizations most effectively reduce cybersecurity risk by improving general technology performance.
Many SRE capabilities overlap with Security, including the critical activities of patching & managing attack surface, along with observability, incident response, postmortems, testing, and platform engineering. SRE and Security teams can collaborate by supporting their mutual goals, sharing their perspectives dealing with incidents both frequent and rare, and by setting Security Level Objectives to inform decisions on when to divert resources to security as SRE teams do with Service Level Objectives.
Slides
My slides with notes, including references, are here.
Video
All USENIX conferences are Open Access! Slides and recordings are available for all past SREcon events, and a video of my talk is available on my presentation page!
Back in September, I was a guest on the IT Audit Labs Podcast!
I enjoyed my time talking with Joshua, Nick, and Eric about safety science and how we can apply lessons from safety to security. We covered a number of topics, including risk, ergonomics, culture, CrowdStrike and aviation, and I was pleasantly surprised to learn that Eric is a pilot!
You can find the episode on your favorite podcast service, or watch a video of the session on YouTube.
Description
Discover the vital intersection of safety science and cybersecurity, where human psychology meets technical innovation.
In this episode of The Audit, special guest John Benninghoff shares his expertise in safety science and how its principles can improve cybersecurity. From applying safety protocols in the tech industry to enhancing security culture through proactive human behaviors, we dive into a range of topics. Plus, we discuss how risk quantification and ergonomics can drive better security outcomes.
Cybersecurity, especially traditional security, has stagnated; adding security controls has appreciably improved outcomes and we continue to struggle with basic problems like vulnerabilities. Safety faced a similar problem 10-15 years ago; scientists and practitioners saw that safety outcomes were stagnant and concluded that the traditional method of avoiding accidents through centralized policies, procedures, and controls was no longer driving improvements.
I believe we’re seeing the same thing in security: historically, we’ve focused on constraining worker behavior to prevent cybersecurity breaches, and the limits of that approach are becoming increasingly clear. Adapting concepts from Safety Differently and Safety II offers a solution, by supporting success and focusing on positive capacities. In this talk, I will present practical advice on how to create a security program based on modern safety principles using evidence from both security and safety, and how it changes the role of the security professional.
Slides
My slides with notes, including references, are here.
Video
The talk was recorded, and if you attended the conference, you can watch the password-protected video here. (The password was shared with attendees)
