Slides: https://static.sched.com/hosted_files/owasp2023globalappsecwashin/ad/Influencing%20Without%20Authority%20-%20The%20Foundations%20of%20a%20Successful%20Security%20Department%20of%20Yes.pdf In today’s technology and business landscape, security is a critical component of any successful organization. However, driving the goals of a security organization can be challenging, particularly when that organization resides in a separate line of business than the product engineering organization they wish to influence. The speakers will discuss how to leverage several key concepts of “influencing without authority” to successfully partner with non-security stakeholders and drive the strategic objectives of a security organization. This talk will explore the telltale signs of the security “Department of No,” well-meaning obstructionists who too often impede the larger business through bureaucracy, and how to shift security practices to empowering the organization through measured, contextual security achievements and partnered collaboration with the rest of the business. This is not a practice relegated to startups with limited concerns nor only achievable by large institutions with a commensurately large security staff. The security “Department of Yes” is tangible and achievable for organizations of all sizes, including heavily regulated programs. The speakers will outline several key concepts of influencing without authority and provide practical examples of how these concepts can be applied to a security organization to increase their influence and drive the adoption of security best practices. The talk will also delve into common challenges that security organizations may face when trying to influence others, and provide strategies for overcoming these challenges. The audience will gain a deeper understanding of how to build effective relationships, establish credibility, and create coalitions with other stakeholders to amplify their influence and achieve their goals. Attendees will leave this talk with a set of actionable strategies that they can use to increase their influence within their organizations, drive the adoption of security best practices, and improve the overall security posture of their business. They will gain an appreciation for the importance of influence and learn how to apply these concepts to drive positive change in their organizations. Timothy Lisko DigitalOcean Senior Director of Security Engineering Tim Lisko is the Senior Director of Security Engineering at DigitalOcean. He oversees defensive capabilities, including Product Security, Infrastructure Security, Security Software Engineering, Security Observability and Data Analysis, and Trust and Governance. Leaning into nautical terminology at DO, he calls himself a Seakeeper: Seakeeping deals with the ability of a vessel to withstand rough conditions at sea and considers how those conditions impact the humans, systems, and mission capability of the ship. Tim believes this is a perfect analogy for security. In his free time, he's a doting dog owner, an avid distance runner, and surfer. Ari Kalfus DigitalOcean Product Security Manager Contact Me https://www.linkedin.com/in/arikalfus/ Ari Kalfus is a security leader and developer enabler who has tricked people like Tim into letting him run application security programs. In the past, he has worked as a security engineer and penetration tester. Ari believes security programs must be rooted in a partnership with the rest of the business via enablement of teams rather than through friction or blocking gates. He currently leads Product Security at DigitalOcean. Managed by the OWASP® Foundation https://owasp.org/