Why Your Security Program Fails #1

You have a security group. They are passionate, trained, and competent. But security is still weak based on customer audits. Why?

Reason Number 1:

Your organization only performs security audits late in the quality cycle. Development neither engages nor listens to your security team because of a variety of reasons.

1. A culture of coddling developers so they feel elite, and therefore they know it all so they do not believe they require outside expertise.
2. Your Security team is in a quality group, and are therefore sneered at in North America.
3. Your Agile process has been broken to mean anything to anyone at any given time so therefore its missed as part of the agile cycle.
4.  Your hipster/hideous beard crowd is breaking things at the speed of Google because that's how code is made today.

Based on this any security issue may require a serious redesign. (Really?!, why can't our MongoDB cluster be exposed on the public internet?). Unless of course product managers can sweep it under some other rug.

Blame marketing. That normally works.