Seth Peter, NetSPI’s CTO participated in a webinar on Preventing Multi-Vector Attacks with Eric Schultze from Shavlik.  When two very technical security CTOs get together there is a concern (a legitimate concern) that things are going to be unmanageably technical, but it actually turned out to be a great event.  It was very conversational and did a very good job of highlighting some of the concerns involved in dealing with sophisticated attacks.

With that said, it might not be the sort of content that you are going to want to ask every CFO or CEO to sit through (unless they have an unusually robust interest in these things), but it’s a very good overview of the need to use multiple tools as well as manual expertise in performing a technical security assessment.  This can often be a difficult thing to fully explain to non-technical executives when compliance mandates don’t specifically require that you use more than one vulnerability assessment tool (for example) and the cheap/easy route is to go with the ‘bare minimum’ compliance requirements.

As you can probably tell if you’ve been here before - I understand the pressure involved in becoming PCI compliant (and maintaining that compliance) and I know the cost involved in that effort, but, at the end of the day, compliance should really be a sub-set of your broader security strategy.  The goal is to avoid a security incident and NetSPI has seen far too many serious vulnerabilities in environments that were considered ‘clean’ when assessed with a single ‘push-button’ scan approach.

Take a look at the webinar and the NetSPI whitepaper (’Fighting Multi-Vector Attacks‘) when you get a chance - it might be useful information when explaining to a non-techie why you need to implement more than one solution that ‘does the same thing.’