ATLSecCon 2025: Security Readiness Means Human Readiness – Source: securityboulevard.com

Halifax has always been a city built on readiness. Its ferry system, among the oldest in North America, has connected communities across Halifax Harbour since 1752. It has run through storms, wartime, and centuries of change. The city’s iconic lighthouses, like the one on Georges Island, once guarded British naval fleets and signaled the dangers of hidden shoals. That legacy of vigilance and coordination set the tone for ATLSecCon 2025.

This year’s conference wasn’t just about tech—it was a call to rebuild the human systems that guide us through a modern digital fog. Because no matter how advanced our tools get, we’re still only as prepared as the people behind them.

Over 1400 people got together in Halifax for two full days of the biggest ATLSecCon ever. With three floors of the Halifax Convention Centre packed with a sold-out crowd, the urgency in every hallway conversation and session was unmistakable: cybersecurity’s operational readiness is being undermined not by attackers alone but by the slow erosion of human adaptability inside the enterprise.

Here are just a few highlights and learning from this year’s event. 

Rebuilding the Talent Pipeline Before It Collapses

In her powerful opening keynote, “Building the Cybersecurity Talent Pool,” Lesley Carhart, Technical Director of Incident Response at Dragos, delivered what could be described as a strategic reckoning for the whole of the security industry. Drawing from her decades of experience in industrial incident response, Lesley broke apart the pervasive myth that there are millions of junior security jobs waiting to be filled. Instead, she laid out a more sobering reality: the mid-to-senior level talent gap is where the crisis truly lies.

Cookie-cutter degree programs, survey-based bootcamps, and unrealistic job postings have created an ecosystem where new talent is forced into narrow roles with no real path upward. Worse, hiring managers talk about wanting “good humans,” but systematically filter out non-traditional candidates due to keyword mismatches or typos in resumes.

Lesley emphasized that the paths many of today’s senior practitioners took, such as general IT, helpdesk, and SOC rotation, are no longer accessible in the same ways for the next generation. She emphasised that we demand elite performance from new candidates without offering the ecosystems that shaped the previous generation.

Her prescription was direct and actionable:

• Mentor more people with intentionality of fostering the next generation of subject matter experts.
• Create non-traditional on-ramps and apprenticeships.
• Dismantle toxic cultures, particularly in offensive security.
• Prioritize psychological safety for entry-level and underrepresented candidates.
• Fix the education-to-practice pipeline to emphasize first principles, not tools.

Lesley made it clear: If we continue to neglect this, we won’t just have fewer defenders. We’ll have defenders who can’t adapt and who can’t see novel attacks coming because they were never taught how to think like adversaries.

From Bed Bugs to Threat Detection: Why Baselines Still Matter

In one of the more creatively themed sessions, “From Bed Bugs to Bad Actors: Planning for Compromise,” Veeam’s Alex Crandall and Matt Crape used a hotel horror story to teach a solid principle of security operations: baselining is everything. Just like bedbugs don’t show up in clean hotels by accident, threat actors leave behind traces, assuming you know what normal looks like.

The five-part incident response structure (Identify, Classify, Isolate, Remediate, Eliminate) they outlined reinforced the idea that detection is not magic. It’s operational hygiene. Knowing what your systems, users, and data flows look like on a clean day is the only way to detect when something subtle, insidious, or novel appears.

This ties directly back to talent: if our SOC analysts are all trained to click buttons in an EDR dashboard without understanding system baselines or behavioral nuance, we are setting ourselves up for failure. Detection efficacy is directly correlated to cognitive diversity and experiential range—something we won’t get from mono-background hiring.

LLMs in the SOC: Co-Pilots, Not Captains

Jason Keirstead, Consulting Strategy Executive at Simbian’s session on “Gen AI in SecOps: Hype vs Concrete Use Cases” was a realistically grounded take on where LLMs can actually help in security operations. He detailed the rise of the Model Context Protocol (MCP), which enables LLMs to interface with real-world security tools like Shodan, Ghidra, or BurpSuite in standardized ways.

Jason laid it out as “LLMs can enhance threat hunting, automate detection logic refinement, and even help parse complex compliance frameworks.” However, it is not all good news. Without proper controls, they hallucinate, leak data, or overstep. Keirstead emphasized “zero retention” models, human-in-the-loop validation, and clear sourcing of data as must-haves. He warned that the tools will evolve faster than most organizations’ ability to govern them.

So again, we return to human readiness. Who will evaluate the hallucinations? Who will teach the AI what a real escalation looks like in context? This isn’t about tooling, it’s about trust boundaries—both in systems and in people.

The CISO Role Has Outgrown Its Tech Roots

In “Reality Check from the C-Suite,” Darren Gallop unpacked a hard truth: most security professionals are not being trained or mentored to become business leaders. The CISO role, when done right, is not a glorified SOC lead—it’s a strategic position that interfaces directly with boards, drives enterprise risk narratives, and influences culture.

Red flags Darren pointed out in fake-CISO roles included reporting to non-executives or compliance divisions, job descriptions which are littered with technical tool language, and limited budgetary or strategic influence.

He pushed the audience to self-assess: do you want this role or just the title? 

The real CISO skill set centers on executive communication, risk translation, and leadership—not deep technical execution. That work still matters deeply, but it’s not what boards are looking for when they say they need security leadership.

Darren challenged us that if we’re not training our talent pool to think about cross-functional risk, to lead with strategic clarity, to evolve into these roles, then who are we training them to be?

Our Operational Risk is Human Risk

The most significant insight from ATLSecCon 2025 is this: We are optimizing for technical efficiency in a world where the risk vector is increasingly human-shaped. Whether it’s LLM hallucinations, insider threats, credential misuse, or poor red team culture, our biggest problems aren’t zero-days; they’re zero-awareness.

The Pipeline is Our Perimeter

For all our talk about shifting left and automating everything, we’ve ignored a key truth: A brittle pipeline produces brittle defenders. If we hire only from the same sources, train people only on tools, and reward only those who shout the loudest, we end up with monocultures that can’t adapt to attacker creativity. Operational readiness is about resilience, and resilience comes from diversity of thought, background, and perspective.

Apprenticeships Beat Certifications

Instead of demanding an OSCP and five years of experience for entry-level roles, what would happen if we invested in apprenticeships modeled after skilled trades? Security is no longer a niche; it’s infrastructure. Infrastructure is built through learnable skills, not magic. Apprenticeships offer both accessibility and scalability. We can’t grow a new generation of defenders if we keep raising the bar higher than most can reach.

LLMs Are For Speed, Not Substitution

LLMs won’t replace you, but someone using one probably will. The framing we need is deeper though: LLMs amplify whatever process they’re embedded in. If that process is toxic, biased, or siloed, AI just makes it faster. If your pipeline encourages curiosity, mentoring, and holistic understanding, AI becomes a force multiplier. But it’s not the solution. It’s the accelerant.

Awareness Training Is Not As Good As Security Culture

The closing keynote “Inside the Mind of a Social Engineer: Real Attacks, Hard Truths, and What They Mean for Your Organization” by Stephanie “Snow” Carruthers, Global Lead of Cyber Range and Cyber Crisis Management of X-Force at IBM, hammered home how most social engineering defenses fail not because the attack is brilliant but because the organization lacks a culture of curiosity and questioning. Carruthers showed how she bypassed multimillion-dollar controls by exploiting human predictability, fatigue, and disempowerment.

Her most jarring statistic: most employees get one hour of security training per year—about 0.05% of their work time. And we expect that to be sufficient against adversaries putting in 40+ hours a week?

Security awareness isn’t about slides. It’s about creating an environment where anyone, from the front desk to the cloud architect, knows that curiosity is safety.

Invest in People Like Your Security Depends On It, Because It Does

ATLSecCon 2025 was a wake-up call. Not just about AI or ransomware or job market myths but about how fragile our security posture becomes when we neglect the human dimension. If we want to confront today’s asymmetric threats, we can’t keep gatekeeping the next generation out of the room.

We need more unconventional candidates. We need better mentoring ecosystems. We need HR and security leaders to sit down and redefine what “qualified” looks like in the era of AI and adversarial automation. And above all, we need to rebuild the social contract between organizations and their defenders.

Security isn’t about perfect tools. It’s about imperfect people choosing to do the hard work—together. Your author gave a talk about working across team and organizational boundaries to confront the oncoming crisis of machine identities spiraling out of control without cohesive governance.

If your organization is still struggling with secrets sprawl or needs help building out a more resilient talent pipeline, GitGuardian has resources and tooling that can support that transformation. But more importantly, we’re committed to helping the people behind those systems thrive.

Let’s train better humans. Let’s build better security.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog – Take Control of Your Secrets Security authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/atlseccon-2025-security-readiness-means-human-readiness/