Death to the Spreadsheet: Breaking the Cycle of Security Theater

Everyone having struggled performing the arts of security theater will instantly recognize the uselessness and hopefully gain some insights into how to do security in a much better way, where platform teams can actually enjoy owning their security posture.

Compliance is not security, but for many organizations, they look identical: an annual fire drill of manual spreadsheets, stale screenshots, and “check-the-box” exercises. Pure Security Theater — a performance that satisfies auditors with a snapshot in time but fails to defend against a living threat landscape. In this session, we’ll discuss how to dismantle the spreadsheet-driven security model and replace it with Applied DevSecOps. We will explore how to bridge the gap between static security requirements and the reality of high-velocity engineering. Using CIS Control 16 as a practical lens, we will explore the blueprint for “Continuous Governance”:

Exposing the Theater: Why manual evidence collection (like inventories and static policies) is obsolete the moment a developer hits “merge.”
Building the “Paved Road”: Shifting from manual “gates” to automated “guardrails” that live inside the IDE and CI/CD pipeline.
Compliance as a Side Effect: How to architect your platform so that audit evidence is generated as a telemetry byproduct of the build process, rather than a manual post-mortem.
The Culture of Ownership: Moving security responsibility to Platform Engineers and Team Leads without creating new bottlenecks.

Whether you are a Lead managing risk or a Practitioner tired of “compliance toil,” you will leave with a practical take on turning any static security control into a living, automated part of your ecosystem.

Spreadsheets are shit
I’ll show you another way
You will love it

Alexandra