Since February, I've been traveling and meeting with IT Security leaders, CISOs, Program Managers and other folks in charge of application security for their business and a few themes have recurred. I'm fascinated by the differing scenarios and situations that security leaders are placed in but it's even more interesting to know that many of you are in the same boat.

It's clearly *not* that security leaders don't want to build well-integrated, holistic application security programs, that much is certain. The problem is no one that these security leaders report to *cares*. It's just baffling how many of you are faced with a compliance exercise, client requirement, or some internal need for "proof that application security is done" but have so little power to actually do anything more than the bare minimum.

I guess it's telling of the times we live in, and perhaps also indicative of the state of the world economy when we are asked to forgo the "strategic" and chase the "tactical" solutions. None of you will argue that the tactical solutions [one-time code reviews, single point-solution tools, etc] is a good idea but this is what you're required to execute on, and then move on to the next fire-drill item. It's enough to drive a person mad.

Well... I know of at least a few of you [and hats off to you, you know who you are] that are finding ways of making the long-term, strategic and holistic programs work in your business. It clearly takes some creativity and guts - but you're doing it. I'm going to, over the course of the coming days, document some of your endeavors, the struggles, the failures and successes - names will be left out to protect the innocent, of course. Now would be a good time to pay attention folks... there are some real lessons to be learned here, and maybe you can use something and take it back to your business or career and build off these stories. Until next time...