Osama Okunbo
Security Engineer, Immibuddy
Ipswich, United Kingdom
Actions
Osama Okunbo is a Security and Software Engineer who consults with startups and scaleups on cloud-native security, Kubernetes, and compliance. Before working in tech he competed as a professional Judoka and studied Sports Science, eventually transitioning into software engineering through game development before finding his way into cloud security and DevSecOps. He leads security engineering at Immibuddy, a Canadian immigration SaaS platform, and holds consulting clients in fintech and retail. He is the author of Hello Fraud: Why You Feel Like an Impostor in Tech and How to Fix It and holds an MSc in Cybersecurity from the University of Suffolk. He spoke at Manchester Tech Festival 2025 on agentic AI in cybersecurity.
Area of Expertise
Topics
I Threw People for a Living. Then I Opened My First Terminal.
In judo you always know how good you are. Someone throws you or they don't. There's a scoreboard. There are belts, you can see what you've earned and what's next. You lose in public constantly, in front of everyone, and nobody thinks less of you for it; that's just training. And the first thing they teach you isn't how to throw someone. It's ukemi how to fall without getting hurt. You spend months learning to be thrown before you're allowed to attack.
I did that for years, professionally. Then I moved into tech, sports science, then game development, then cloud security and every one of those things was gone.
Here's what took me years to work out, and it's the whole talk: impostor syndrome isn't a personal defect. It's what happens when you take a person out of a system with feedback and drop them into one without any. Tech has no scoreboard nobody tells you if you're good. It has no belts progression is invisible and the titles don't mean the same thing at two companies. Failing in public isn't training here, it's a performance review. And nobody teaches you ukemi. You're expected to attack from day one, and when you get thrown you have no idea whether that's normal or whether you're finished.
Four things judo had. Tech has none of them. That's the diagnosis, and I'll go through them one at a time.
I wrote a book about this, which means people wrote back engineers, career-changers, people ten years in. The thing that comes up over and over: everyone assumes they're the only one, and they're all assuming it about each other.
Then the fix, which isn't confidence. Confidence advice fails because this isn't a confidence problem you simply have no data on yourself, so you fill the gap with the worst available assumption. So build the missing structures yourself. Make your own scoreboard: an actual file of what you shipped and what you fixed, because your memory won't do it for you. Learn ukemi deliberately practise failing where it's cheap, so you know how it feels before you fail where it's expensive. Find your randori: somewhere you can be thrown regularly without it counting against you.
I got thrown more times than I can count and never once thought I didn't belong on the mat. Falling was the training, not the verdict. Tech taught me to read the same event as proof I was a fraud. That's the mistake, and it's worth naming out loud.
The 4C's of Cloud Native Security: A Layered Defence from Code to Cloud
93% of organisations have at least one overprivileged Kubernetes service account. Most teams bolt on security tools, react to CVEs, and hope for the best because they never learned to think about cloud native security as layers. The Kubernetes documentation defines four of them: Cloud, Cluster, Container, and Code.
In this talk, I'll walk through each layer using real production examples. How enabling AWS Security Hub and GuardDuty revealed blind spots we didn't know existed. Why RBAC misconfigurations and missing network policies are quietly exposing clusters everywhere. How Trivy caught vulnerabilities in base images we'd been shipping for months. And how Semgrep and Gitleaks in our CI/CD pipeline caught a hardcoded API key before it ever hit production.
You'll leave with a practical framework for evaluating your own security posture layer by layer and a set of tools you can start using this week.
Securing Distributed Systems When You're Not a FAANG Company
80% of organisations experienced a cloud security incident last year. Misconfigurations account for nearly 40% of breaches. Non-human identities outnumber humans 45-to-1. The reports are loud and clear, but they're written for companies with dedicated SOCs and six-figure tooling budgets. What about the rest of us?
I run security for a 25-person SaaS company. No SOC, no CNAPP platform, no dedicated security team. Just me. This talk is the honest version of what securing a distributed system on AWS and Kubernetes actually looks like at that scale. I'll cover the three things that moved the needle most: getting cloud posture right with the security tools AWS already gives you but most teams never turn on, locking down identity and access so overprivileged service accounts stop being your biggest attack surface, and building compliance into your workflow so ISO 27001, GDPR and SOC2 stop being a yearly fire drill.
If you're a developer, architect, or team lead at a company that isn't Google and you know your security posture needs work but don't know where to start, this one's for you.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top