The first step in taking security seriously is to get into the security mindset.
What does that mean?
That means the security has to be the concern of everyone, all the time. It can’t be just one person, the development team, or even the whole IT department. Everyone in your organization has to be smart and equally responsible for security.
The weakest link in your security is your level of security. Any one person could be your weakest link.
If a development team spends months on security issues and one person from another department has his password stuck to their monitor on a sticky, then how secure are you?
Everyone may not have the same security mindset. Developers and IT staff will usually be more knowledgeable on security than average users. However, “average users” have to be mindful about security. This may require a plan to educate them on it.
The top decision makers of a company or the stakeholders also need to have the security mindset because it’s ultimately their investment to ensure good security for applications. They also need to understand the security impact of the high-level choices that they make. Also, if someone raises a concern on security, management needs to take it seriously.
Another important aspect in having the security mindset is having a regular review. You would want to review all hardware and software in use. If you are writing your own code then you would review code which is in use and also which is in development. It is much easier to deal with security issues while code is in the early stages of the software development life cycle, than to deal with them at the last stages.
Also, it is not just enough to educate people on security only once. You need to re-educate again and again. So, you need to educate and periodically re-educate.
Also, it is important to have good developers and even better development practises. Developers have to keep upgrading their skills on security. If their knowledge is less in one area, then that could be the weakest link in your security. Better programmers write more secure programs. So, hire good people and educate them more often.