The awesome Spaf recently reminded everyone (excluding people who work for one of the few very awesome companies that actually have a grip on their infosec) that no-one on the "defence" side cares about security enough to seriously change the situation.
Step one in the yet-to-be-written 12 step program: admit that "defence" side is not doing well (be honest with yourself):
Breaking things is thought to be sexier.
"User awareness" does not work.
Blinkenlights on products consoles don't give much reassurance other than psychological, or theatrical level.
Companies that thought they had security programs running well, find their source code dumped by the attackers on a random web server for unknown time.
Governments care mainly about how to break into their (or not) citizens' computers and backdooring crypto standards and implementations.
What's more, there is no "higher power" (see the original 12 steps) to appeal to. It's up to humble engineers who quietly do awesome stuff. I'll be posting about how others deal with their infosec challenges. No fluffy stuff, and probably no mention of "risk management," but you're welcome to convince me it works :)
What's even better, there will be drinkups! Because:
Rules–particularly the dogmatic variety–are most useful for those who aren’t confident enough to make their own damn decisions.
For the rest of us, there’s vodka–so we can cope with the decisions we were foolishly wise enough to make.
So help us, Grey Goose.