Security Isn’t A Solo Sport: Community, Burnout, and Identity at BSides312
None
<p><img decoding="async" src="https://blog.gitguardian.com/content/images/2025/06/BSIDES312-thumb.png" alt="Security Isn’t A Solo Sport: Community, Burnout, and Identity at BSides312"></p><p>Chicago’s <a href="https://en.wikipedia.org/wiki/Irish_American_Heritage_Center?ref=blog.gitguardian.com"><u>Irish American Heritage Center</u></a> stands as a testament to the enduring spirit of community and resilience. Housed in a renovated early 20th-century building in the Mayfair neighborhood, this cultural hub has celebrated Irish and Irish American heritage through music, dance, literature, and art since 1985. Its transformation from a former public school into a vibrant center was made possible by the dedication of volunteers and community members, reflecting the collective effort to preserve cultural identity. This made it the perfect backdrop for hosting an event where members of another community came together to celebrate what unites us all in security at <a href="https://bsides312.org/?ref=blog.gitguardian.com"><u>BSides312</u></a>. </p><p>Hosting this newer <a href="https://bsides.org/w/page/12194156/FrontPage?ref=blog.gitguardian.com"><u>BSides</u></a> within these walls was more than symbolic; it was a convergence of tradition and innovation. Over 260 security professionals gathered amidst Celtic murals and the artifacts of traditional Irish music for two full talk tracks, multiple villages, and a<a href="https://bsides312.org/index.html?ref=blog.gitguardian.com#fun"><u> MUD-themed CTF</u></a>. </p><div class="code-block code-block-12 ai-track" data-ai="WzEyLCIiLCJCbG9jayAxMiIsIiIsMV0=" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-12-1" data-info="WyIxMi0xIiwyXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="VGVjaHN0cm9uZyBHYW5nIFlvdXR1YmU=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://youtu.be/Fojn5NFwaw8" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2024/12/Techstrong-Gang-Youtube-PodcastV2-770.png" alt="Techstrong Gang Youtube"></a></div> <div class="clear-custom-ad"></div> </div></div> <div class="ai-rotate-option" style="visibility: hidden; position: absolute; top: 0; left: 0; width: 100%; height: 100%;" data-index="1" data-name="QVdTIEh1Yg==" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://devops.com/builder-community-hub/?ref=in-article-ad-1&utm_source=do&utm_medium=referral&utm_campaign=in-article-ad-1" target="_blank"><img src="https://devops.com/wp-content/uploads/2024/10/Gradient-1.png" alt="AWS Hub"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>Here are just a few highlights from this amazing event, which was the b-side for <a href="https://www.thotcon.org/?ref=blog.gitguardian.com"><u>THOTCON 2025</u></a>.</p><h2 id="security-isn%E2%80%99t-a-solo-mission"><strong>Security Isn’t a Solo Mission</strong></h2><p>In the keynote "When the Night Has Come: Finding Belonging in a World That Doesn't Understand Us," <a href="https://www.linkedin.com/in/greenshoesteve/?ref=blog.gitguardian.com"><u>Steve Shelton, CEO of Green Shoe Consulting</u></a>, reminded us that hacking is fundamentally a human endeavor. And humans need to take care of themselves, Steve told us all through his session on neurodivergence, burnout, and the myth of the lone genius in security. The idea that any of us can handle the pressures of threat modeling, red teaming, or being on-call 24/7 for incident response <em>alone</em> is not just false, it's dangerous to your mental health.</p><div class="code-block code-block-15" style="margin: 8px 0; clear: both;"> <script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2091799172090865" crossorigin="anonymous" type="3afeafe0e14c45aa49b85c83-text/javascript"></script> <!-- SB In Article Ad 1 --> <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-2091799172090865" data-ad-slot="8723094367" data-ad-format="auto" data-full-width-responsive="true"></ins> <script type="3afeafe0e14c45aa49b85c83-text/javascript"> (adsbygoogle = window.adsbygoogle || []).push({}); </script></div><p>The stories he shared, of friends who burned out in silence and ones who reached out for help, are all too familiar. The narrative that vulnerability is weakness runs deep in our industry, but as Steve said, “This tribe is not about conformity, it is about connection.” Our community, from hoodie-clad hackers to hoodie-optional CISOs, is built on resilience. But resilience is not stoicism. It's architecture, social, emotional, and operational.</p><p>This talk wasn’t a detour from security. It was a class in designing sustainable teams. In every IR runbook, in every SOC alert escalation, in every DevSecOps handoff, the connective tissue isn’t tools, it’s trust. Security leadership that fails to recognize that is flying blind.</p><figure class="kg-card kg-image-card kg-card-hascaption"><a href="https://bsky.app/profile/mdwayne-real.bsky.social/post/3lqkktwvvs22b?ref=blog.gitguardian.com"><img decoding="async" src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXfb7J8dn23wOGQsiB7qS0i-r343Oft9AqyMwL8dcHeqT577_TFAW0b9KYYnzkdwkJwi4uCauyItsSfXC_IG5qlPK8mHaPAT1cchh2FYacB3V5mH-CaSuQsUjxq9Mqj3ZPkqSxKk?key=_jdLMMqBUyogYyao3QoEUg" class="kg-image" alt="Security Isn’t A Solo Sport: Community, Burnout, and Identity at BSides312" loading="lazy" width="624" height="469"></a><figcaption><span style="white-space: pre-wrap;">Steve Shelton</span></figcaption></figure><h2 id="identity-is-at-the-heart-of-attacks"><strong>Identity Is At The Heart Of Attacks</strong></h2><p>In "Misconfiguration-Driven Cloud Attacks: A Graph-Based Exploration," <a href="https://www.linkedin.com/in/filipipires/?ref=blog.gitguardian.com"><u>Filipi Pires, Head of Identity Threat Labs at Segura</u></a>, walked us through misconfiguration-driven cloud attacks, reminding us that the next wave of attacks is converging on identity-based breaches. Pires walked through graph-based IAM visualizations that show how a single misconfigured <code>attachUserPolicy</code> or overly permissive <code>allow *</code> statement can ripple into privilege escalation across an entire organization.</p><p>Filipi said we’ve seen adversaries traverse cloud environments not through zero-days, but through forgotten service accounts, stale role bindings, and group-wide permissions nobody reviewed. In every one of those cases, the machines did exactly what they were told.</p><p>He underscored that without team-level awareness, cross-team conversations about identity hygiene and privilege boundaries, your misconfigured permissions are a disaster waiting to happen. This is where operational control meets operational empathy. Who created that policy? Who maintains it? Who reviews it? Not knowing means you need to tackle this risk as soon as possible.</p><figure class="kg-card kg-image-card kg-card-hascaption"><a href="https://bsky.app/profile/mdwayne-real.bsky.social/post/3lqkp4csajo24?ref=blog.gitguardian.com"><img decoding="async" src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdTg8UNHSWtLvKiT0dfTRS0VrLKsedn9_1rkPGDXkshUp3cV7etwsmKe94Is-iZMMNyssOZzFiN67v52dMmBG3OicuQogMWBqVvS-UGcHnTOQO8o7U2Sy34D0qeQaNteMLyunWz?key=_jdLMMqBUyogYyao3QoEUg" class="kg-image" alt="Security Isn’t A Solo Sport: Community, Burnout, and Identity at BSides312" loading="lazy" width="624" height="469"></a><figcaption><span style="white-space: pre-wrap;">Filipi Pires</span></figcaption></figure><h2 id="the-mindset-of-the-active-defender"><strong>The Mindset of the Active Defender</strong></h2><p>In her talk, “Defending Beyond Defense,” <a href="https://www.linkedin.com/in/catherine-ullman-26a9406/?ref=blog.gitguardian.com"><u>Dr. Catherine J. Ullman, Principal Security Technology Architect at The University at Buffalo</u></a>, pushed the attendees to abandon the passive posture many security teams still default to. Firewalls, AV, and EDR aren't enough, not because they might ultimately fail or are defeatable, but because they cannot adapt quickly enough to the creativity of attackers.</p><p>Instead, she called for a more offensive mindset: not red teaming per se, but red empathy. Understanding how attackers think. Moving beyond the kill chain into continuous detection, graph-based attack mapping, and adversary simulation. Defenders must become curious, experimental, and willing to engage in cognitive hacking.</p><p>This is the community’s next frontier. Not everyone needs to be a BloodHound ninja or a malware developer. But every security team needs to cultivate threat modeling as a lived practice, not a checkbox. We must hire for it, train for it, and, crucially, <em>give each other permission</em> to learn it out loud, without shame.</p><figure class="kg-card kg-image-card kg-card-hascaption"><a href="https://bsky.app/profile/mdwayne-real.bsky.social/post/3lql6v5kg7z25?ref=blog.gitguardian.com"><img decoding="async" src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdBcespKjIJ-KlPja_zzj06u7MHgtKplEjQw7S3RbnCVb8H7e3o4trFfpmvkhpL5rPGBv8BibmpTORTDGr6k7fBmKW7GLCI95RvahK46BL-s4XsSmsCLw2qmWG5_hopAE4KyP8?key=_jdLMMqBUyogYyao3QoEUg" class="kg-image" alt="Security Isn’t A Solo Sport: Community, Burnout, and Identity at BSides312" loading="lazy" width="624" height="469"></a><figcaption><span style="white-space: pre-wrap;">Dr. Catherine J. Ullman</span></figcaption></figure><h2 id="belonging-as-security-architecture"><strong>Belonging As Security Architecture</strong></h2><p>Throughout all the sessions at BSides312, there was a throughline that security cannot scale without humans connecting to other humans. </p><p>We’ve spent decades building architectures of resilience for our systems, but almost none for our people. We harden endpoints, but are willing to leave teams brittle. We rotate credentials, but let burnout linger unspoken all too often. We monitor lateral movement in networks but tend to ignore its human analog in toxic organizations or siloed communications.</p><p>If there was a call to action unspoken, it was that it’s time we admit what we’ve known deep down: community is an operational control. And in an era of generative AI, machine identity explosion, and adversaries leveraging everything from deepfakes to supply chain manipulation, it’s probably our most critical one.</p><h3 id="privilege-delegation-risk-is-a-human-problem"><strong>Privilege Delegation Risk Is A Human Problem</strong></h3><p>Technical privilege escalation often begins with a human failing. It means someone didn’t ask who else had access or didn’t document a decision. Someone assumed the IAM policy was inherited safely.</p><p>If the culture penalizes questions, you get more misconfigurations. If onboarding skips context, you get more overprivileged credentials. Every dangling service account, every Allow * policy, every silent failure of least privilege is ultimately a human breakdown, not a YAML one.</p><h3 id="communication-hygiene-is-security-hygiene"><strong>Communication Hygiene Is Security Hygiene</strong></h3><p>Security leaders must internalize that communication is a form of hygiene. Like patching or rotating secrets, maintaining trust through consistent, honest communication is what allows risk signals to propagate and land correctly.</p><p>When pentesters go quiet, the client loses trust. When DevOps teams feel ambushed, they get defensive. When feedback loops die, security suffers. This is not merely a “soft skill.” This is incident prevention, and it is at the heart of improving security.</p><h3 id="psychological-safety-improves-threat-modeling"><strong>Psychological Safety Improves Threat Modeling</strong></h3><p>To threat model effectively, teams must be able to admit what they don’t know, what they’re afraid of, and what they’ve messed up. That’s impossible in fear-driven cultures. It’s only possible when people believe that being wrong won’t get them punished, and being vulnerable won’t get them mocked.</p><p>So yes, build your graphs. Run your red teaming tools and attack your own infrastructure. But also, check in on your people. Are they burned out? Do they feel safe flagging a risky config? Can they say, “I don’t know what that policy does”?</p><p>Security culture is not about who can yell “risk” the loudest. It’s about who listens.</p><h2 id="be-human-first"><strong>Be Human First</strong></h2><p>Walking out of BSides312, it was impossible not to reflect on the security teams that quietly carry so much of the operational risk burden across our industry. We triage every misconfiguration, every IAM oddity, every shadow deployment. But who triages the defenders?</p><p>Steve's message from the opening keynote echoed in every hallway: <em>You are enough.</em> But maybe more importantly: <em>You are not alone.</em></p><p>Building on this theme, your author was there to give a talk on Non-Human Identites and how we need to better communicate risks with our developers. Everyone deploying code is human, and we need to keep this in mind always. We build zero-trust architectures, and then trust our people too little. We implement defense-in-depth, and then isolate the humans at the center. The next evolution of security maturity isn’t more automation, more dashboards, or more scans. It’s more connection. It’s better conversations. It’s a culture of care.</p><p>Let’s build that system together. If you are not already a member of your local security community, or an online one, we at GitGuardian encourage you to find your tribe. <a href="https://www.gitguardian.com/events?ref=blog.gitguardian.com"><u>You might even see us there</u></a>. </p><div class="spu-placeholder" style="display:none"></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://blog.gitguardian.com/">GitGuardian Blog - Take Control of Your Secrets Security</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Dwayne McDaniel">Dwayne McDaniel</a>. Read the original post at: <a href="https://blog.gitguardian.com/bsides312-2025/">https://blog.gitguardian.com/bsides312-2025/</a> </p>