.png)
I spent years negotiating security audits with global giants. The secret? You don’t need to match their spend to match their security.
For a significant part of my career, I served as Chief Privacy Officer and CISO at TrustSphere. We were a lean, agile organisation of 20 to 40 people at different times. Our major customers, however, were some of the largest organisations on the planet: multinationals with 250,000 to 500,000 personnel. A large part of my job was to sit across the table from their security officers and find a path to partnership.
These organisations assumed we operated like them. They often expected that we had ticked every single configuration box in our infrastructure — incurring massive design, implementation, and operating costs — simply because they had the budget to do so in their infrastructure. It was a form of bureaucratic insurance: if you tick every box, regardless of the actual risk, you cannot be blamed.
I didn’t have the budget to tick boxes for the sake of it. I had to be rational.
I had to identify the actual risks (particularly cybercriminals and state-backed APTs) and treat them efficiently. We got to yes more than 95% of the time, not because we bought the expensive appliances that they assumed but because we could demonstrate that our risk-based controls were just as effective at addressing the relevant risks as their budget-based ones were.
The security poverty line
This experience reinforced two fundamental truths of our industry:
- First: as Bruce Schneier famously wrote: “security is a process, not a product”.
- Second: the rising cost of that “product” has created what Wendy Nather termed a “security poverty line”, leaving NGOs, activists, and small developers believing they cannot afford to be safe.
This is why we selected Cherlynn’s talk for the Cybersecurity & Privacy track at FOSSASIA 2026.
Meet the speaker: Cherlynn
Cherlynn is the Head of Security Operations and a member of the founding team at ExpressVPN.
While she helps secure a global privacy company, her philosophy is deeply rooted in resource-constrained defence. In her writing for TechCrunch she has argued that startups and NGOs can enhance their security posture not by spending more, but by thinking more clearly, specifically through threat modelling.
She understands that for a journalist in a conflict zone or a non-profit protecting whistleblower data, security isn’t about buying a “product”. It is about understanding your specific “crown jewels”, mapping the threats against them, and applying the right mitigation, whether that costs $1,000,000 or $0.
The session: Thrift shop security
On Monday, March 9, Cherlynn will present Thrift Shop Security: How to Build Security Capabilities Without Breaking the Bank.
This session is an antidote to the cybersecurity-industrial complex. Rather than focusing on specific vendor tools, she will demonstrate how to build an enterprise-grade defensive capability using F/OSS principles. She will cover:
- Visibility: How to centralise logs and telemetry so you can see attacks happening in real-time.
- Vulnerability Management: How to identify weaknesses in your stack before the adversaries do.
- Prioritisation: How to focus your limited resources on the risks that actually matter.
Why This Matters
If security is a luxury good, then privacy becomes a privilege of the wealthy. That is a future that we cannot accept.
By mastering these thrift shop approaches we do more than just save money. We democratise safety. We ensure that a human rights NGO — or a 40-person startup working with a 500,000-person customer — can stand their ground against the same adversaries.
Join Us
- Session: Thrift Shop Security: How to Build Security Capabilities Without Breaking the Bank
- Speaker: Cherlynn
- Track: Cybersecurity & Privacy
- When: March 9, 14:30
- Tickets: EventYay
