Compliance is not security, but for many organizations, they look identical: an annual fire drill of manual spreadsheets, stale screenshots, and "check-the-box" exercises. Pure Security Theater — a performance that satisfies auditors with a snapshot in time but fails to defend against a living threat landscape.
In this session, we’ll discuss how to dismantle the spreadsheet-driven security model and replace it with Applied DevSecOps. We will explore how to bridge the gap between static security requirements and the reality of high-velocity engineering.
Using CIS Control 16 as a practical lens, we will explore the blueprint for "Continuous Governance":

- Exposing the Theater: Why manual evidence collection (like inventories and static policies) is obsolete the moment a developer hits "merge."
- Building the "Paved Road": Shifting from manual "gates" to automated "guardrails" that live inside the IDE and CI/CD pipeline.
- Compliance as a Side Effect: How to architect your platform so that audit evidence is generated as a telemetry byproduct of the build process, rather than a manual post-mortem.
- The Culture of Ownership: Moving security responsibility to Platform Engineers and Team Leads without creating new bottlenecks.

Whether you are a Lead managing risk or a Practitioner tired of "compliance toil," you will leave with a practical take on turning any static security control into a living, automated part of your ecosystem.