The Security Development Lifecycle : Oil Change or Culture Change?
Really interesting point here on the Microsoft SDL blog about executive buy-in being critical to getting focus on security. I think that it actually applies to pretty much all security spending.
The thing that came home to me reading this is. It's not that company executives don't want their organisations to be secure, I'm sure they do. It's that when it comes down to the detail of "where will I not spend money and effort so I can do this piece of security work" that the problems start.
It's a really difficult sell to say " well Mr CIO we suggest spending X on security which will mean that one (or more) of your other projects won't happen this year due to the resource cost of doing the security work" unless that CIO realises how important security is and also trusts the people who are giving him that message.
Using the example of implementing a SDL. It's not just the cost of the tools and consultancy to implement it, it's the developer time that's not writing new features or fixing customer bugs while they learn about SDL and get the appropriate training.
So how do you do this magic convincing act... not sure (probably why I'm not a CSO at the moment!) . With Microsoft it happened 'cause they had a very large number of high profile security problems which led their CEO to ensure that the improvements occurred. I'm not sure I've heard many other stories of companies that have really changed their attitude to security in the same way without that kind of problem, but I'd hate to think that incidents are the only way to get a good security stance!