I'm the founder and Managing Director of Integrated InfoSec, a consultancy dedicated to building information security into business processes and online services from the ground up. 

I've been involved in IT engineering for almost 30 years, and in that time I have seen huge advances in miniaturisation, speed and capacity, but little advance in strategic thinking on robustness and security despite a massive increase in exposure. Although at first sight threats appear to be getting more and more sophisticated, I see the same basic mistakes being made time and time again. For example,  the overwhelming majority of software vulnerabilities result from a mere half dozen basic decades-old programming errors. And coding flaws are by no means the sole source of insecurity. The need for robust business logic is generally overlooked, leading to fragile processes that can be abused.

Web application development, particularly for SMEs, is frequently conducted on the fly without a detailed up front specification, and look and feel usually take precedence over security (and indeed sometimes over functionality and performance) in the thinking of both developers and clients. Highly abstracted development environments and huge volumes of vendor-supplied library code are trusted implicitly by developers, and little if any thinking out of the box takes place - leading to a development process more akin to assembling an MFI wardrobe than to real engineering. 

Many web application developers still seem to assume that if you use SSL and have a robust login, the system is secure - the hard shell with a soft centre approach. But unless security is layered like the skins of an onion it will be subject to single points of failure. And unless security is built into projects from the ground up at the design stage, it will always remain an afterthought - a sticking plaster that conceals ill-understood hazards instead of minimising business risk.

We need security by design instead of accepting the endless round of breaches, bugs and patches. But that means customers must be helped to define their business risks, these risks need to be translated into technical terms, and security specifications must provided to application developers in terms they can understand and implement. That's the service Integrated infoSec delivers.