How many times have we heard the following pieces of wisdom from CISOs or other security talking heads? Be strategic, not tactical. Build security in - forget about break-fix.
Like a siren song, these words have caused a great many professionals to crash upon the rocks, and the strategy-first camp is simply doing a disservice to your users. Maybe that is why the average CISO only lasts a couple of years.In our talk, we're going to tackle this conventional wisdom in the name of Getting Shit Done and propose a new path: The Tactical Security Program. We've established a lightweight, heavy hitting team thats performed over 400 assessments, handled over 900 bugs, and established a private bug bounty program all in one year, and we'd like to share some of our practices. If you are managing a program, you will come out of our talk with some actionable advice. If you are a worker bee, we will teach you how to subvert the system from within.And while we're at it, we will tell you why following some of the newer trends of security wisdom, including embracing public bug bounty programs, is also a bad idea. Yeah, we said it.