As you mentioned, our goal was to tell a story that would resonate with business people and the general public and to help open a dialogue between the infosec experts and those who rely upon their expertise. We were indeed careful to avoid a prescriptive answer that might have been perceived as shameless self-promotion for Fortify. If we had included a call to action it would be the same one I recommend when I talk to CIOs and CISOs about this problem:

1. Understand that the serious threats are making their way through your perimeter defenses (I am still amazed how few business executives really understand this).

2. Make sure your InfoSec and IT development teams are working closely together and have them collaborate on risk and threat profiles for all of your critical business assets (customer data, intellectual property, business processes). Be sure that they consider vectors beyond network and host access – Software, Outsourcers, Business Partners, Employees, etc.

3. Put in place a security process that engineers security into the critical IT systems as you build and integrate them, testing for vulnerabilities at every step in the lifecycle.

Of course that can be done with or without Fortify’s products, but of course I can’t imagine anyone going without

Let’s keep the dialog going. Hopefully, the film will inspire others to pick up where we started and tell the deeper story of how the underbelly of cybercrime works. In fact, Fred and I are considering a trip to Russia and gathering material for a sequel ourselves…