Hackers and business decision makers rarely see eye-to-eye. There has historically been a great chasm separating the views of business decision makers who pay the bills and the in-the-trenches security practitioners who perform the work. This epic battle has taken a toll on the security of many environments as businesses focus on operations and "hackers" focus on the symptomatic issues directly in front of them. This talk serves to open the dialogue between both groups in an attempt to find some common ground and understanding. Beginning with raising the "hackers" awareness to business concerns and how business guides the path to security, we hope to bring a fresh perspective on how to position their concerns. This alone may build a bridge and allow them to receive the support they have always craved. After we address this daunting task, we will turn light to the business aspect. In this section, we will give the business professionals a unique view into the mind of a security professional. Yes, the ones who throw a fit because a screen shot of some black and green screen with text on it is "bad". We will give you a behind the scene connection explaining why they are reacting the way they are and how having that emotion is a massive benefit to the business (and not just a cost). At the end of the day, the business and the hacker have the same goals; we all want to secure the business. We may have different drivers and motivators but a common goal exists. We will extend the olive branch to both sides and hope that this talk will inspire others to do the same.
Andrew Hay is a Senior Security Analyst with The 451 Group's Enterprise Security Practice. He is a veteran information security practitioner with more than 10 years of experience related to endpoint security, log management, vulnerability assessment, penetration testing, forensics, incident response and enterprise security information management (ESIM). Andrew has authored three books on network security topics, and in 2008 was honored with the title of 'Security Thought Leader' by the SANS Institute. He is a frequent speaker at security conferences and a frequent guest on many industry podcasts and webinars. Andrew maintains a topical security blog at www.andrewhay.ca [www.andrewhay.ca] and can be engaged on Twitter via http://twitter.com/andrewsmhay [twitter.com].
Chris Nickerson is a Certified Information Systems Security Professional (CISSP) whose main area of expertise is focused on Red Team Testing and Social Engineering. In order to help companies better defend and protect their critical data and key information systems, he has created a blended methodology to assess, implement, and manage information security realistically and effectively. At Lares, Chris leads a team of security consultants who conduct Security Risk Assessments, Penetration Testing, Application Testing, Social Engineering, Red Team Testing and Regulatory compliance testing. Prior to starting Lares, Chris Worked on the IRM team at KPMG, Chief Security Architect at Sprint Corporate Security, and Sr Net Eng at SHB. Chris is a member of OWASP, ISACA Denver and is also a featured member of TruTV's Tiger Team. Oh yea.. and he is a liability from Exoticliability.com.