Re: Why CISOs don't invest properly in Application Security
I absolutely agree with your assessment. I am an app guy in a security related role and the two distinct groups speak and think about security in two entirely different ways. Unfortunately, from my perspectve the network/sysadmin side of the house looks at dropping tool after tool in place to protect but often times this is done with a "plug-n-play" mentality. The tools aren't specifically configured for the environment. App security gets even more messy because many times there is no right or wrong answer. There's a lot of gray. App Security is also still thought of as an after-thought. The dev team gets through testing and then wants a quick scan down prior to going live. The time for security assessment and remediation isn't baked into the process.
As an industry, the security thought process is still lagging behind the threats. While I would agree with your previous respondent that a CISO shouldn't be put in place strictly because they have an app background, but it should definitely be a strong consideration for a well rounded view. I didn't agree with the respondents comparison. It was a little dramatic.