Jonny Tyers at DevSecCon London: The North Star — Risk-Driven Security

DevSecCon London invited Jonny Tyers to speak at their October 2023 hybrid event, hosted at the Snyk London office. His talk, The North Star: Risk-Driven Security, made the case for reorienting security programmes around genuine risk rather than compliance-first thinking.

---

About the talk

The framing of "north star" was deliberate. Most security programmes have too many inputs competing for attention — vulnerability scanners, audit findings, framework requirements, vendor recommendations. Jonny's argument was that risk should be the single point everything else navigates by. If you can't trace a piece of security work back to a credible threat and a meaningful business impact, it probably shouldn't be at the top of the queue.

The session was part of a double-bill alongside Elie Saad's talk on scaling application security, and was streamed live as well as attended in person.

What the session covered

The talk walked through what risk-driven security looks like in practice — starting with threat modelling as the mechanism for surfacing what actually matters, then showing how that feeds into prioritisation, remediation and communication with leadership.

The key point: getting ahead of the curve on security isn't about doing more things. It's about doing the right things in the right order, which requires a clear picture of your actual threat landscape rather than a list of everything that could theoretically go wrong.

The recording is available on YouTube.

About DevSecCon

DevSecCon is a community-run conference series focused on bringing security into the development lifecycle. Events run across multiple cities, mixing practitioner talks with workshops and open discussion.