I am currently preparing for the Business vs. Security panel that I am moderating at the Source:Boston conference on Wednesday, March 11th from 4:15-5:30pm.

You can read about it here . Click the link that says "The end of our rope: the ongoing tug-o-war between business and security", The gist is that we get two business people and two security people together, and they discuss the finer points of managing business and security requirements in real-world environments. Many of us have been there. Security people have a notoriously difficult time convincing the business that security is important, and business folks are just trying to run the company and often view security as a speed bump.

I’m very excited to moderate this panel two years in a row. It is relatively rare to get security and business people together at one table with the sole purpose of discussing how security impacts real-world decisions. As they say on TV, "Let’s get ready to rumble!"

How you can help

Below are some examples of questions I could ask the panelists. I have a much longer list, but I think it would be much more interesting to open this up to the security community. So, given this opportunity, what questions would YOU like me to ask the panelists?

• When you are ‘selling’ security, how do you get appropriate attention when you are talking about what MIGHT happen instead of things that ARE happening? You are essentially asking people to spend money on a problem that "THEY DON’T HAVE". How do you justify the expense?
• Whose responsibility IS it to manage security?
• With security, it is possible to spend an unknown amount of money on an intangible problem. What is the right amount to spend?
• As an industry, security people tend to NOT be very good at communicating security concepts to NON security people. How do you communicate technical security concepts to business people in a way that they get it?

See you at the conference!
–rob

Banking on Education: A Case Study on Developer Security Training

Speaker: Paul Hinkle (Chief Technology Officer, Safelight Security Advisors)
Date/Time: Friday (March 13, 2009) 1:30pm — 3:00pm
Track: Security
Presentation Format: 90-minute Case Studies
Audience level: All

Presentation Abstract

Four years in the making, State Street Bank has created a pioneering security education program for its internal developers: both employees and contractors located in multiple countries. This case study will discuss how to properly implement an internal security training program. It will discuss the unique challenges State Street faced, how they were addressed, and the process the company went through to create a successful training program that is now mandatory for all staff involved in systems development worldwide.

Please email info@securityadvisors.com for a discount code to receive $100 off the lowest price.

Educates IT and developers on latest threats and how to secure Web applications

What: Conference on California’s Future
When: May 12-16, 2008

Sacramento Convention Center
1400 J Street Sacramento, California 95814

Instructor: Paul Hinkle, CTO, Safelight Security Advisors

Security Training

Threat Update

Monday, May 12, 2008, 9:00 a.m. – 12:00 p.m.

Audience: IT network administrators and managers

The news is full of stories of stolen laptops, hacked databases and identity theft on a massive scale. From social engineering and spam, to directed attacks and virtualized rootkits, learn how different threats may impact the overall security posture of your organization. This half-day course brings you up to date with the latest attack methods, and anticipates some of the changes the industry expects in the near future.

Securing your Web Applications

Monday, May 12, 2008, 1:30 p.m. – 4:30 p.m.

Audience: application developers, project managers and business analysts

According to Acunetix (a vendor of Web application scanning tools), 70% of applications they reviewed contained high or medium ranked security vulnerabilities. Learn how to develop more secure applications using simple, repeatable steps. This introductory half-day session includes: demonstrations of key attacks, step-by-step analysis of those attacks and solid countermeasures that any development team can use in its Web environment.

I am out at the RSA Conference this week, and like every year, I am stunned by the number of product vendors selling “silver bullet” technology solutions to solve all of life’s security problems. Seeing the make-up of the expo floor, you would think that you can just throw lots of technology at a problem in order to make it go away. Given that real solutions always incorporate people, process and technology, it always amazes me that most vendors pretty much ignore the first two. (more…)