It has been said “information wants to be free.” A corollary to this could be “security wants to fail.” And fail it does, time and time again. Security projects are often unsuccessful because of poor/no process, mismanaged technology and resistant employees. Traditionally, we solve this problem by tightening the screws, but is the most effective approach, or does it just make things worse? By exploring ideas from Agile Development, Lean Manufacturing, Psychology, Economics and Complexity Science, this presentation explains why we’re in the mess we’re in and how we might get out of it. It discusses why constantly improving “better practice” is better than “best practice”; why focusing on learning is better than focusing on checklists and why expensive technology often fails to actually solve security problems. Finally, it discusses systemic issues and why so much of our time is spent fighting ourselves instead of the bad guys.