Support for security: Where's it missing? At the top.

A post by Dave Ladd on the Microsoft Security Development Lifecycle blog, discusses the difference between working on security and privacy initiatives and actually working on security and privacy. One key tidbit:

More often than not, when talking to our customers an interesting social phenomenon is presented – as I talk with technical employees (developers, project managers, testers and the like) the desire to implement secure development practices extends all the way up the technical food chain, including the CSO – then it stops…cold.

I haven't done any empirical study of this behavior, nor do I plan to – however, in the process of conducting my informal probes for causality, more often than not I find that it hinges on two points:

1. lack of understanding at the CxO level about how security, privacy and reliability are contributors to corporate risk, and;
2. discomfort with the notion of redirecting resources to trustworthiness in the short term, in exchange for longer term gains in product quality and customer satisfaction.

And an illustrative analogy:

A final note to help illustrate my point – for those of you that are old enough to remember, there was an old TV commercial for Fram Oil Filters that showed a mechanic working on the tear down of some old beater. At the end of the commercial, the mechanic turns to the camera and says, "You can pay me now, or you can pay me later..."