The strongest walls eventually fail—but adaptive systems endure. In this must-watch session from Prodacity 2025, Andrés Vega, Founder & CEO of M42, explains why static defenses no longer work in modern cybersecurity and how organizations can build security systems that evolve as fast as their adversaries.

Drawing parallels between historical military failures like the Maginot Line and modern cyber threats, Vega highlights why rigid security and compliance models leave organizations exposed—and what to do instead. If you’re serious about securing critical infrastructure, automating compliance, and preparing for post-quantum security challenges, this talk is for you.

🔹 Key Topics Covered:

• Why static security models fail against adaptive threats
• The Maginot Line parallel: How security history keeps repeating itself
• How modern security threats require continuous evolution
• Why compliance ≠ security—and how to balance both effectively
• The chess analogy for cybersecurity: Planning against intelligent adversaries
• How open-source security frameworks like in-toto, Sigstore, & SPIFFE can help

🕒 Key Highlights & Timestamps:
[00:03] - Introduction: Why modern security faces the same failures as historical defenses
[01:46] - The Maginot Line: A lesson in false security & adversary adaptation
[03:31] - Why cybersecurity is a sociotechnical challenge, not just a technical one
[04:40] - How quantum computing & AI change the cybersecurity game
[06:49] - The flaws of perimeter-based security in an agile, cloud-native world
[09:26] - Compliance vs. security: Why checking the box isn’t enough
[11:28] - Why governance & compliance automation are critical for secure deployments
[13:08] - The Sorcerer’s Apprentice problem: Why automation must be intentional
[15:21] - Lessons from highly regulated industries & real-world security failures
[17:04] - The three Rs of cybersecurity: Repave, Repair, Rotate
[19:49] - How modern open-source security frameworks improve resilience
[22:42] - Final thoughts: Choose your path—build security that evolves with threats

🔗 Stay Connected:
Learn more about Prodacity: https://www.rise8.us/prodacity
Follow us on X: https://x.com/Rise8_Inc
Connect with us on LinkedIn: https://www.linkedin.com/company/rise8/

‍

Andrés Vega (00:03):

What's good everyone, so you make sure I get a handle the clicker. Thanks for being here. More importantly, thanks for the work you do. We'll explore how modern software security faces the same fundamental challenges as one of history's most famous defensive failures, and more importantly, how we can avoid repeating those mistakes. Before we dive into modern security challenges, let's understand why static defenses, no matter how impressive, often fail to protect us against our adversaries. The Maginot Line represents the ultimate example of solving problems. We think we have. France spent billions to what would amount past $9 billion today on immobile defenses while Germany was developing mobile warfare. The parallel to modern security is strikingly similar. We often build impressive defenses while our adversaries simply go right through or develop ways to go around them. The stakes in security and compliance failures are staggering. Recent breaches across federal agencies have exposed sensitive data affecting national security, intellectual property, and critical infrastructure. The impact cascades beyond immediate data loss to long-term existentially. The costs are not just reputational, they're not just financial, they're existential. Even more concerning, these failures occur in organizations that believe they're doing everything right.

(01:46):

There's a crucial difference between random system failures when we think of availability or reliability and security threats. While we can predict and manage random failures with statistics, security threats come from intelligent adversaries who adapt to our defenses. A proper analogy to think of this is chess. If you write a computer chess program very simply, you can counter random moves, but it takes a lot more sophistication to beat a strategic opponent. Now, security is not really a technical problem. It is ultimately a sociotechnical challenge, and sociotechnical is one of those terms that might sound buzzword bingo of modernization and has become a little bit tried. But we need to understand how technology interfaces with people to build adaptive defenses. The term social technical originates from the fifties. When the conveyor belt got introduced into coal mining, Eric Trist and the Travis Stock Institute studied how where mechanization was supposed to increase productivity. It actually decreased how workers got around because they were no longer communicating as they had this conveyor belt between the different functions of what it took to blow up a wall. Now tries proposed that manufacturing and many other systems have both technical and human social aspects that are tightly bound and interconnected. Moreover is the interconnections between those individual elements that determine the ultimate system performance.

(03:31):

In today's age, there are supercomputers everywhere connecting all human knowledge with high speed networks, but at the same time as connected to bad actors. These modern security boundaries phase a fundamental paradox. The same networks that enable critical operations, tactical operations can become attack vectors, and that's why we need to move beyond the fortress mentality towards something much more adaptive. Does network walls provide fiscal separation through hardware-based security that made sense in a world of fixed infrastructure, but not in a world of high rates of fluctuation and refactoring of workloads? The dynamic missions of today required solutions that can adapt as quickly as adversaries do. The quantum threat makes this even more urgent, and the value of quantum resistant is not just in the hypothetical breakthrough of quantum computers, although that's been advancing, but on the increased foot gun resistance of this algorithms with higher mathematical complexity.

(04:40):

As we look at NIST 203, 204, but for much as we have, there's different networks of classifications and sensitivities that's not really zero trust that's still very much parameterized. So we must rethink at a data-centric level how we verify and validate every interaction in the system so this traditional boundaries can evaporate as much as they've done in the clout. Organizationally speaking, we have an audit and governance and compliance, these boundaries between roles, but these lines are increasingly blurred and the rapid deployment of software is very much at odds with the toil of manual evidence gathering. On average, organizations have spent 127 hours of evidence collection in order to deploy a release for all that's been invested in continuous delivery. That's not the case in regulated industries where there are gating controls unless you produce all the necessary screenshots of spreadsheets and filled out all the questionnaires.

(05:56):

I have never really spoken about this in public. I'm going to relate a childhood, one of my possibly earliest memories. I grew up abroad not far from here in the Andes Mountains in the city of Bogota, Columbia. It's 8,600 feet, 10 million people. Despite what Netflix would have you believe, the American presence wasn't limited to 2D EA agents. The American presence was in the hundreds. We lived in a neighborhood where a lot of foreign officials recited that included DEA Marines and other foreign officials, and like the Maginot Line line, it seemed we had formidable defenses, but adversaries don't play by the rules. I remember playing with pushback cars, sending them flying down the staircase when the bomb squad came knocking on the door, and this wasn't just a average threat routine, they came with a truck. They rolled out a explosive ordinance disposal robot, one of the first generations of an Andros.

(07:10):

At the time, it was the epitome of counter-terrorism, but as they got it off the truck, the arms of the robot just spun in circles and the bomb squad faced a critical problem. Their very sophisticated equipment they had just received as a donation from the United States was rendered useless by something as basic as a language barrier. The manual was written in English. My grandfather managed to get ahold of the manual and he became this unexpected bridge between the technology and the operators with the basic English he had, but he had an engineering background. He was able to figure out the ES schematics for the reboot procedures, recalibration and do the necessary frequency adjustment to get the robot working and the process, they determined that this was a secondary threat attack. The whole thing was a setup. The car was parked on top of the gas lines that supplied the entire neighborhood and the same block where the DA residences and the Marines, and there were eight other cars fully loaded with dynamite, all sagging under the weight from it.

(08:19):

So it is crucial point that the most sophisticated tools are only as effective as our ability to implement them in real world situations on the pressure when life is at stake. As such, modern systems must assume that compromises will happen. The question is an if is a question of when. That means moving away from perimeters, long lift credentials, shared secrets, and move towards systems that remain secure, like partially compromised as is the case with most software packages, repositories and the advances that have been made in open source around supply chain security. So for instance, signing updates with a single key using classical encryption is not sufficient. So a trade-off of when do we use online keys versus offline keys and we compartmentalize and we retire all metadata once more. If we look at organizations, and this is primarily an analysis of entities and private sector.

(09:26):

Each role is playing a game of chess in their head that they all believe they're winning. They all have the different priorities, perspectives and selfish interests. And pressure always falls down when there's a non-compliance event or an audit goes sideways or there's a breach for all the stakeholders involved. There's the downward pressure on the development team, on the platform team to go address this and this cast of characters. You're going to have the people in the CISOs organization focused on trust and safety, protecting the reputation of the organization, minimizing liability, and then the CIO organization is going to be focused on development and operations. And there's a critical dynamic that gets overlooked when things go sideways is once more the developer that needs to figure out the deficiencies, map those back to implemented procedures and correct them. So at the bottom of it cascades, the developer is ultimately concerned ahead of time.

(10:29):

How do I write safe code while dealing with all these requirements? And they become very much like a Mickey Mouse trying to scramble for all the competing demands as those occur and the systems that we build. For most part, it's become software all the way down. Everything's software defined except for things that happen at layer one and layer two and security and compliance, which once more relies on spreadsheets and manual processes as someone put it on the internet. This is the, okay, my slide disappeared there. What's your compliance and security stack? They say Excel tears in whiskey, and I can relate to that. I'm sure a number of you do too. So there's this impetus to automate governance and automate how we demonstrate we have this controls in place, but in the effort to overcome that, we fall in this trap of what I call the sorcerer's apprentice.

(11:28):

You remember Fantasia? So Mickey Mouse learns a few magical incantations of automation, but without understanding the whole architecture or the entire system, he quickly loses controls so the developers can find themselves frantically flipping through the pages while underwater and trying to contain the chaos that's been unleashed. The key insight is when you're investing in automation, you shouldn't try to automate the existing processes or the existing architecture that exists, but rather understand the reason why it exists in first place. A recurrent theme throughout the conference has been outcomes and as scenarios, what are the outcomes and as scenarios that we're trying to achieve, what are the efficiencies that we're after? Designing systems from the ground up to be automated is much more powerful than trying to design systems that weren't designed to be automated in first place. We have a bal Inized landscape of technology. No matter how much automation you throw at it, the systems are not going to interoperate or integrate in a meaningful way. So that's the difference between Mickey Mouse commanding the boom, the brooms versus having the purpose to ultimately stop the flaw that's unleashed. So once more important to focus on the why rather than the what Many of the problems you're trying to solve will disappear that way. You don't need to automate the process of filling the water buckets if you automate the process and understand how water needs to flow and where it needs to flow.

(13:08):

Recently in social media discourse has reemerged. Many thought leaders proclaim well, compliance is security because that's what the CISO will spend the money on, but that's not the case. Compliance might protect you from getting slapped by the regulator or it might get you from the path to production, but it will not sta off the adversary. Compliance is both a goal and a constraint. It can become a maze of checking those boxes. And when you lose track of that being, that becomes more important than staying safe and protecting the op time. You need to find the thread that traces you back where you got to be. A lot of security practitioners at high performing software organizations, they have deployment frequency of multiple times per day. Short lead times, short mean times to resolution, very low change failure rate. And despite of that, they still get breached.

(14:15):

They still get regulatory enforcement. We hear of all these organizations that we presume they have their act together, but then we find about the fines, the lawsuits, the civil money penalties, the cease and desist orders, shareholder litigation and public mistrust inspired on real world incidents that have occurred in the last decade and the vein of the Phoenix project. A number of folks in the community got together and rewrote a fictional story. Investments Unlimited. The title might only make sense if you read the Phoenix Project Parts. I believe firmly, we should have called it the Mandatory Project, but well, naming things is hard. Happy to discuss more of the book at signing. But rapidly growing organization crosses the threshold where they go highly regulated and the office of controller of currency brings to their attention through a letter. Matter requires immediate attention. Yes, you're hitting all the Dora metrics, but you have all these deficiencies on your cybersecurity and risk management practices.

(15:21):

And how do they go to address that? Get their act together, build a coalition. They overcome those walls of confusion throughout the different stakeholders on the organization and the solution they realize is not building more walls or more process instead is laying down a clear path that enables rapid security will have an explainability and understanding of the process. That's where automation and automated governance and attestations come in. Much like 12 factor apps revolutionized how we build cloud applications. We need clear principles for building trustworthy systems. We want a declaration that the event occurred in the pipeline, the step and the task. We want a granular identification of the asset in question and the inventory on your CMDB. We want timestamps with context. We want the metadata for the conditions that created the event detailed output. Then we need that evaluated against the organizational policy and the control determine if it's a pass or fail. There should be enough information to rerun it and reproduce it should be checked in, should be machine interpretable. The data should have been marshaled, should be digitally signed for it to be cryptographically verifiable. Ideally, what the advances and formal verification should be mathematically provable and that will ultimately lend to assurance that is being consistently enforced across your environments.

(17:04):

A lot of pivotal heritage in the house and castle run, great manifestation of the three Rs of cybersecurity, repave, repair and rotate repave infrastructure from the last known compliance state and do this often repair vulnerabilities as soon as they emerge. Make those rolling updates ideally over the air and rotate system credentials, frequently move away from shared secrets, ephemeral credentials that have short times to live that enable least privilege. So once more, that falls dichotomy between technical excellence and governance. There's the gap between what we can do technically and how we express compliance. But if we have CICD, but we have to go through the change management board to get to production, what are we even doing? Rapid deployment. But then we go through an eight week audit cycle and then we have infrastructure as code, but then we're checking boxes manually now for most of the pioneers in the space, outliers that are broken through and have the exemplars, a lot of those problems are solved.

(18:31):

Things that have been written in modern programming languages and run in Kubernetes. The reality of the fence is you have cyber physical systems across the oceans. You have systems edge devices on space. So there are many tactical use cases that are not cloud. So getting software over the air in a consistent and compliant manner is the opportunity that we're here to. I may not have immediate answers, but I'm here to have conversations that we can reason about how to tackle the problem. Head on architecture matters. I am a strong proponent of open source software. While these remain state-of-the-art, they are mature projects from the last decade that have enabled to solve these problems in a more thoughtful, more skillful way. EBPF external Berkeley packet processor enables a fast kernel data path. It allows you to do telemetry policy enforcement without relying on net filters or IP tables and do it in a very high performing fashion before the traffic hits the wire.

(19:49):

And toto started by the Secure Systems lab at New York University under the advisory of Justin Cappos is a open metadata standard for the defining the layout of your supply chain. So you say, here's my source, here are my inputs, here's the expected outcome. So when you're thinking of automated governance, that can be the manifest for that. Okay, we know there's a variance. There's been a backdoor or breach and it's a great, great framework for protecting against nation state attacks. Sister project to it or actually the parent of in toto is called the update framework, which is a framework for securing over the air update systems. There's the implementation called Optane, which is the reference for automotive Great Linux and how 30% of the automotive industry performs automatic updates over the air. I got nerd sniped over the dinner by a gentleman in the audience. I shared that my wife works at a company that does software for cruise ships, commercial cruise ships like, well, how do they keep software updated?

(20:59):

How do they do that so tough. Obtain and toto are part of that architecture that enables protection for the package repositories and getting software securely to large fleets of mobile assets. Six store for digital signing spiff spire, which are a short lived cryptographically verifiable identities that led you do mutual transport layer security. There's been contributions to the project by my organization fitting the new post quantum algorithms to it, and then from Amazon, formal verification policy engine to express your IM to express some of your regulatory objectives as code and have those enforced. So the Maginot Line ultimately failed not because it was poorly built, but because it solved for the understanding they had, but it didn't see how the adversary had been scanning the defenses and doing offensive security. Today, we risk making the same mistake by our current security and compliance approaches, but we have an opportunity to do better attestation frameworks that provide real verification, automation that understands context systems designed for continuous renewal and teams that are built around shared understanding. If you don't recognize the picture on the right, that's a great movie. Land of bad, great illustration of what happens when tactical systems fail and how resourceful we ought to be.

(22:42):

Take action. Choose your path forward. Remember that the strongest walls eventually fail, but adaptive systems endure and we should be building security that evolves as fast as the threats we face. We have a number of book copies for investments and unlimited that I'm available for signing and talk a little bit more about the book or anything that I might've said that piqued your interest. Thank you very much.

‍