2025-08-05 –, Firenze
Security teams love policies, frameworks, and well-intentioned controls—but when those efforts lack product or business context, they’re often just… theater. In this talk, I’ll share what happened when I joined a security program driven by compliance rather than clarity, and how that led to friction, rework, and wasted energy. Through real-world examples from a fast-moving startup, I’ll walk through how we started rebuilding trust with teams who didn’t want to work with us—by first learning how our product actually worked and what the business actually needed. You’ll leave with questions every security team should be asking their product counterparts, tactics for embedding security into the roadmap without slowing it down, and ideas for transforming from checkbox-driven blockers into true partners. Whether you’re leading a program or just trying to get un-ghosted by your engineers, this talk will help you make security relevant, respected, and real.
Security programs built on frameworks, checklists, and best practices can look great on paper—but without a deep understanding of the product and the business, they often fail to drive real outcomes. At best, they create friction. At worst, they create risk where there was none.
In this talk, I’ll share my journey inheriting a security program at a fast-paced fintech startup that was built entirely through the lens of compliance—without aligning to how the product worked or how the company actually made money. Security was seen as a service function, not a partner. Trust was low, leadership was in flux, and teams carried “security trauma” from past engagements from previous companies.
Through real examples and hard lessons, I’ll walk through how we started turning things around by asking better questions, building fluency in the business, and rethinking what effective security looks like. I’ll cover:
-
How misunderstanding the product led us to focus on the wrong risks
-
Key questions we started asking product, engineering, and leadership
-
Tactical strategies for embedding security into the development lifecycle without slowing teams down
-
How we shifted our posture from service provider to strategic enabler
-
How AI and automation gave us back time and influence when headcount wasn’t an option
This talk blends storytelling, leadership lessons, and practical takeaways. It's designed for anyone trying to build or mature a security program in an environment with limited resources, unclear ownership, or complex dynamics. If you’re tired of playing defense in the dark—or struggling to get buy-in from teams that don’t trust you—this talk will give you a new lens and real strategies for making security work with the business, not just alongside it.
Mia Kralowetz is a security leader at Upside, where she rebuilding a security program from the ground up—with empathy, AI, and just enough chaos. A career changer who once managed retail stores, ran finance and compliance teams, and worked as a life coach, she found their way into security through a love of tinkering and a desire to understand how things work.
Her first security project was featured in a coworker's talk in Proving Ground talk six years ago, and since then, she's focused on DevSecOps and pentesting. Today, she's passionate about using security to build trust, not fear, and about enabling teams instead of blocking them—especially in environments marked by distrust, resource constraints, and rapid change.
This is her first time at BSidesLV as a speaker—and it feels like a full-circle moment.