Milwaukee is a fitting place to talk about change, craft, and the discipline required to keep complex systems moving. The city carries a long industrial memory, and one of its quieter contributions still shapes daily technical work. The first practical typewriter was invented in Milwaukee in 1867 by Christopher Latham Sholes, a step that led to the QWERTY keyboard layout many of us still use. 

That makes a nice backdrop for BSides Milwaukee 2026. Security work has that same mix of legacy, adaptation, and muscle memory. We inherit systems, habits, and interfaces from earlier eras, then try to make good decisions in changing conditions.

This was the third year BSides MKE was held, coming as the "b side" of Cyphercon, "Wisconsin’s largest technology conference." This year's event brought together roughly 300 attendees, 14 speakers, multiple CTFs, and community villages. The conference theme was "Fly." Speakers talked about communication, burnout, governance, team design, and community with the same seriousness usually reserved for detections and exploit chains.

Here are just a few highlights from this year's BSides MKE.

Cockpit Language Matters

In the keynote session from Josh Mason, Solutions Architect at Synack, titled "Milwaukee 25L, Cleared for Takeoff? Wait, Are We Ready to Fly?" he discussed aviation discipline and how crews make decisions under pressure. The cyberthreat context he drew comparisons to is that attackers are moving fast, identity abuse keeps rising, and burnout is hollowing out experienced teams. Josh’s real focus sat elsewhere. He kept returning to mission, communication, and the responsibility security teams have to make their work understandable to the rest of the organization.

He exposed a familiar gap. Security teams often know exactly what they mean when they say "CVE," "SIEM," "SOAR," "risk," or "control." The rest of the business usually hears cost, delay, friction, or a request for budget without enough context to act. Josh used cockpit communication as the model for a better approach. Crews stay aligned by speaking clearly, sharing what matters, and giving everyone permission to call out danger. The same discipline applies in a company where marketing, finance, product, and legal all influence what security can accomplish.

Some of the most important security problems today sit in that translation layer. Secrets exposure, third-party trust, and identity misuse are never just technical defects. They shape customer confidence, procurement reviews, and revenue conversations. Josh’s talk argued that security maturity includes knowing how to position findings in terms that the business can absorb and use. He really outlined a path to operational competence.

Leadership At Cruising Altitude

Scott Quenneville, Manager of Enterprise Security Operations and Engineering at ATC, presented "Bridging the Gap: Leading Cybersecurity Teams Across Generations, Skill Sets, and Stakes." This was a practical look at the changes that occur when a security practitioner becomes responsible for other people’s success. The talk stayed close to the realities of the job. Leaders are expected to stay technically credible while also creating direction, coaching talent, managing conflict, and reducing burnout. Those are difficult shifts, especially in a field where urgency can crowd out reflection.

Scott focused on role clarity, decision rights, and the difference between assigning tasks and defining outcomes. Those ideas sound basic until a team starts missing escalations or duplicating work because nobody knows who owns what. Security organizations often accumulate responsibilities faster than they mature their structure. That produces stress, hidden gaps, and brittle execution. His framing treated clarity as a security control. When ownership is vague, risk stays vague too.

The talk also touched on personal well-being. Burnout needs to be treated as an operational problem with visible signals, not as a private weakness for individuals to manage alone. Teams under chronic pressure make worse decisions, avoid healthy conflict, and lose valuable people. Security maturity shows up in calmer ways of working as much as in sharper technical outcomes. A team that can learn, escalate, and recover together will outperform a larger team stuck in confusion and exhaustion.

Governance For The New Crew Members

In the session from Qasim Ijaz, Director of Cyber Security at Aveanna Healthcare, called "Practical AI Governance for Sentients," we were presented with one of the clearest operational frameworks of the day. The talk covered model behavior, training data, hidden environmental and human costs, prompt injection, and the growing spread of AI features across enterprise tools. Instead of treating AI governance as a policy document waiting to be written, Qasim treated it as an inventory and control problem that already exists inside most organizations.

That approach starts with a simple question, "What AI do you already have?" Not what the innovation team approved, nor what the board asked about. What tools are actually live right now, with what features enabled by default? What data do they touch, and what logs are generated? That focus on inventory was appreciated. Many teams are already living with shadow AI, internal copilots, retrieval pipelines, and client-facing agents without having a full map of their exposure. Governance has to begin with visibility, or it remains ceremonial.

AI agents act with credentials, call APIs, access data stores, and create new patterns of machine-level access. Those behaviors look a lot like the non-human identity problem that many teams are only beginning to scope properly. A mature program needs to know which agents exist, what secrets they depend on, what permissions they hold, and how those privileges are reviewed. Qasim’s plan, moving from identification to control, monitoring, and measurement, offered a useful structure for teams trying to bring that sprawl under governance before it turns into a familiar cleanup project later.

Maturity Lives In The Connections

Throughout the day, there was a common thread: security maturity rarely appears as a single heroic capability. It appears in the connections between functions, between people, and between technical truth and organizational action. Many talks approached different parts of that same problem. Communication with the business, role clarity inside teams, AI inventories, and stronger communities all pointed toward one shared lesson. Security gets more effective when the connective tissue gets stronger.

Many organizations still evaluate maturity as a stack of controls. Controls matter, though teams do not fail only because a control is missing. They also fail because nobody translated the risk, nobody owned the follow-through, or nobody felt safe enough to say the plan was drifting. We have to address those operational realities the same way we would approach any present adversarial threat.

Identity Keeps Expanding The Boundary

Identity sat underneath far more of the event than the session titles might suggest. Attackers are logging in instead of breaking through obvious perimeter defenses. AI agents are acting with delegated privileges. Access control systems still boil down to whether a presented identity is trusted. Vendor trust reviews increasingly shape how companies buy and sell software. 

All of that expands the boundary of what security teams need to see and govern.

For teams focused on secrets and machine access, this matters a lot right now. Non-human identities, such as service accounts, with their access tokens and other embedded credentials, in our AI-connected workflows are no longer secondary concerns. They are part of the main operational surface. Mature programs are the ones that can map those identities, understand their permissions, and connect them back to business risk in language that decision makers can use.

Human Capability Is Infrastructure

One of the best parts of this, or any in-person event, is that it reminds us that the answer to a security problem almost invariably involves skilled humans. Better listening, better coaching, and better follow-up. We need to make more room for learning. More deliberate support for people under stress. 

Those are easy topics to sideline because they do not fit cleanly into procurement cycles or metrics dashboards. They still shape how well a team functions when the pressure rises.

Human capacities are critical parts of an operational infrastructure. A security team with psychological safety, clear ownership, and healthy communication can absorb change with far less damage than a team that has stronger tooling but weaker trust. In changing conditions, the human system around the technical system becomes part of the control plane.

Safely Landing The Plane, Together

We can't separate technical work from the conditions around it. The talks at this year's BSides MKE were full of real threats, hard constraints, and practical tactics, though the day kept returning to a deeper point. Security maturity is the ability to keep making sound decisions when the environment shifts. That requires more than sharp detection logic or one more platform rollout. It requires shared language, visible ownership, trustworthy communities, and a better map of the identities and systems already operating inside the business.

Milwaukee is a city with a long relationship to tools, production, and the craft of making systems usable over time. Just like how the typewriter was a design choice made generations ago that still shapes how people work today, security teams are living with the same reality. We inherit architectures, habits, and assumptions from earlier moments. The real challenge comes from then having to adapt those earlier decisions, made with the best intentions, under new pressures, all without losing control of the mission.

The largest takeaway from the event was that modern challenges live at the intersection of architecture, identity, operations, and organizational maturity. The most successful teams learn how to inventory carefully, communicate clearly, and build systems that people can actually sustain. And they do it together, in a way that helps the whole flight crew fly a successful mission. 

The post BSides MKE 2026: Security Maturity in Changing Conditions appeared first on GitGuardian Blog – Take Control of Your Secrets Security.

*** This is a Security Bloggers Network syndicated blog from GitGuardian Blog - Take Control of Your Secrets Security authored by Dwayne McDaniel. Read the original post at: https://blog.gitguardian.com/bsides-mke-2026/