It might surprise many to learn that fortune cookies were not invented in China, but in San Francisco. Around the early 1900s, Japanese and Chinese immigrants created the now-famous cookies, embedding secret messages of wisdom and hope. Like a fortune cookie itself, community resilience in cybersecurity often contains hidden strengths, unexpected yet critical to surviving in a world of uncertainty.

This spirit of hidden resilience defined the conversations at BSides San Francisco 2025, showing that in cybersecurity today, emotional intelligence and community trust are not soft skills; they are operational necessities. Almost 2500 attendees got together to share stories and talk shop, in the weekend preceding the RSA Conference. Here are just a few highlights and learning from the event.

The Strength of Vulnerability

In the keynote session "Sharing Vulnerabilities," Clint Gibler, founder of tl;dr sec, invited us to look beyond technical vulnerabilities toward the personal vulnerabilities we often hide. His keynote was a powerful reminder: behind every badge-wearing security professional is a human being wrestling with doubts, failures, and hard-won lessons.

Drawing on personal stories, Clint illustrated how emotional traps, such as believing that everyone else is "winning," can erode resilience from within. His reflections on experiences like early encouragement from tl;dr sec and small, meaningful gestures from friends served as poignant examples. A simple "hi" at a conference, he reminded us, can change the trajectory of a career.

Importantly, Clint emphasized that diverse backgrounds enrich security, rather than weaken it. He has known people with training in physics, English, theater, and neuroscience who excel in cybersecurity roles. Skills like improv comedy, he argued, directly sharpen security operations by fostering adaptability and quick thinking. He left us with a message that not all time is created equal, and that now is often the time to connect, to build trust, and to strengthen the human fabric of our community.

Clint Gibler projected top right on an IMax screen at BSidesSF

New Voices, New Energy

While at the event, I met many first-time attendees. I asked one such person, Matteo Merolla from Portland, for his thoughts, and what I heard reinforced Clint's message in a fresh way. Matteo’s experience was emblematic of what makes BSidesSF special: an authentic welcome to new members of all ages and backgrounds.

Here are his words, lightly edited for clarity. In a space where technical prowess often dominates, the open-armed attitude of "let’s just solve the problem" felt refreshing and critically important. Security isn’t a competition for who builds the best tool; it’s a collective mission to safeguard what matters most.

Matteo also highlighted how many security tooling companies have a freemium approach, especially when it comes to touching GitHub. Making quality security tools available to individuals, not just enterprises, aligns perfectly with the ethos of empowering practitioners at every level.

From a security operations perspective, he had many conversations about trust and that had him thinking "trust-building at the grassroots level strengthens the entire ecosystem." As more newcomers feel empowered to ask questions, contribute, and lead, the industry becomes more adaptable and ultimately more secure against adversarial threats.

Shifting Left is a Team Sport

Your author was able to help lend a hand and co–present a workshop along with Modus Create’s Andy Denis, "Shifting Left: A Hands-on Introductory Guide to DevSecOps."  The content drove home another critical message: integrating security into CI/CD pipelines is not just a technical shift, but a cultural one.

Participants learned foundational DevSecOps practices, from secrets scanning and vulnerability detection to handling Software Bills of Materials (SBOMs) and implementing branch protection rules. By guiding participants through live GitHub Actions integrations, we showed that operational security isn't a series of tools layered atop the workflow; it is the workflow.

Importantly, the session emphasized that DevSecOps success relies heavily on culture: developers, security engineers, and platform teams must collaborate early and often. Shifting left isn't just scanning earlier; it's caring earlier. For security leaders, this has major operational risk implications: the earlier misconfigurations, credential exposures, and vulnerable dependencies are caught, the smaller the blast radius when something inevitably goes wrong.

Andy Dennis

Human-First Security Strategy

At first glance, Clint’s emotional storytelling, Matteo’s community reflections, and the DevSecOps workshop might seem only loosely related. But viewed together, a deeper operational truth emerges: resilience in security organizations depends on deliberately fostering human-centered trust and collaboration.

Why Emotional Intelligence is Now a Security Imperative

In an environment where adversaries increasingly use social engineering, psychological operations, and insider recruitment as attack vectors, emotional intelligence is not a luxury. It is armor.

Practitioners who can build trusting relationships inside and outside their teams are better positioned to detect, respond to, and even preempt these human-driven threats. When security culture encourages openness about mistakes, we catch weak points sooner. When junior team members feel safe speaking up, latent vulnerabilities surface before they are exploited. When organizations value diverse backgrounds, they unlock unconventional thinking that attackers often underestimate.

Ignoring this dynamic, conversely, breeds brittleness. Teams silo themselves, burnout spikes, and failure modes compound silently until they cascade catastrophically. Resilience, it turns out, is a deeply human construct, and it must be built intentionally.

Operational Risk Shifts When Community is Weak or Strong

When you prioritize security culture only after a breach, it is already too late. Strengthening community resilience proactively shifts operational risk in powerful ways:

  • Detection surfaces earlier. People feel safer sharing oddities and near-misses.
  • Response becomes swifter. Trust accelerates mobilization during incidents.
  • Attrition drops. Retaining skilled defenders protects institutional knowledge.
  • Innovation increases. Diverse teams solve harder problems faster.

In a threat landscape increasingly defined by shadow AI, agentic automation, and insider risks, having a trusted and resilient human core is perhaps the most overlooked but most critical control.

Building the New Security Baseline

We can’t keep layering new scanners on top of old silos and call it progress, the real frontier is human-first security. That starts with leaders who treat emotional intelligence as table stakes, weaving it into every promotion path and interview loop, and who spark peer-to-peer mentorship wherever security folks gather, be it a packed BSides hallway track or a quick cross-team pairing between sprints. 

When execs openly share the stories of what blew up in their face—and the lesson that rose from the ashes—they normalize vulnerability as a mark of maturity, not weakness. Suddenly, those “failure” Slack channels hum with hard-won wisdom instead of blame.

But empathy without enablement is just another feel-good keynote. Give every engineer grassroots tooling that’s as frictionless as GitGuardian’s freemium GitHub scanner, and watch security hygiene become a habit, not a hurdle. Shift your DevSecOps scorecard away from vanity metrics (“we deployed three new tools!”) and toward adoption, engagement, and collaboration—the pulse of a culture that actually uses what it buys.

By 2030, the organizations still standing won’t be the ones that hoarded the most data; they’ll be the ones that protected and empowered the people who create it.

Conclusion: Trust is a Strategic Asset

As BSidesSF 2025 made clear, security today is not a purely technical pursuit. It is about forging trust, fostering resilience, and empowering diverse voices to stand together against evolving threats. Whether you’re introducing DevSecOps practices, mentoring new practitioners, or simply saying "hi" to someone at a conference, you are shaping the operational risk landscape in profound ways.

Let’s stop thinking of security culture as a side project. It is infrastructure. And just like a misplaced secret or an unpatched system, a neglected community can quietly become the vulnerability that brings the house down.

So here’s the leadership challenge:  What are you doing this week to invest in your team’s resilience, not just their compliance?