Did everyone join hands and sing Kumbaya after the speech?
Five of the speakers at the original Black Hat conference in 1997 have been reunited at this year's session to discuss the next 15 years of security, and all agree that people are the key investment area, not gadgets. "The best return is on your employees," said Black Hat founder Jeff Moss. "I rely on people, not on a widget. …
So the security guy says you need a security guy. Just like a lawyer says you need a lawyer and a plumber says you need a plumber.
Schneier still kicks ass though.
Business rather save thousands (if not millions) by not having the appropriate staff and gambling on security. After all most people have a short memory and will forget you lost their data in a short time.
Businesses also spend millions on security widgets - the point being made was that if you have to choose one or the other choose people who know how to work with the abundant variety of open source tools available, and don't pretend that some overpriced and overhyped "Jesus-IDS" is going to solve all your security problems.
I don't think this is really a controversial assertion unless one happens to sell Jesus-widgets, or just broke the bank buying one.
What they said was simple, straightforward, easy to understand, and above all practical... Therefore nobody will take any notice.
... the kickbacks and freebies from widget-sellers are so pretty. Plus people don't tend to have a glossy brochure. No, I can't see PHBs going for it.
Nail + Head!
Doesn't matter how much you tell PHB that investing in people is a good idea, unless there is a brochure and something quick to show for return, they aren't interested. All about perception with PHB, and they are the ones with the purse strings. There will be 0 PHBs paying attention to Black Hats using open source code, only paid consultants.
Goes hand in hand with taking 10 mins to fix a bug makes you look incompetent, taking 3 days and making a lot of noise makes you hero of the day.