I am so pleased to be working with people who are clued in enough so I can have conversations like this:

Me: John, I’m glad that we’ve finally got Board policy addressing data security and privacy, and we’re putting in place practices and training to address network security, wireless security, and so on, but—

Him: But Gary McGraw is right.

Me: Yes, exactly.

Here’s the thing. We have paid far too much attention to network security and not nearly enough to application security. That’s what Gary McGraw has been saying, and thankfully our security guy knows it. Software security is the new frontier. Or really, it’s been the frontier all along, we just haven’t acknowledged it.

So what do I do? I’m going to have a very busy summer, jump-starting our secure development process and trying to get policy to match what our process should be, so practice can flow from policy. This is nothing official to my job, it’s just something that I care a lot about and am going to do. It’s a start.