• Much of the Internet still runs on insecure infrastructure. A lot of sensitive emails still go out entirely in plaintext. Our secure Web communications are fundamentally flawed, and it's not because of cryptography.
• The economics of security often don't favor better security. Companies often find it cheaper to fix security problems only as they're reported, instead of designing security in at the start. Similarly, many companies in regulated industries struggle with the cost burden of IT security compliance.
• Most security incidents still involve people shooting themselves in the foot. People are bad judges of risk when it comes to computer security and tend to engage in risky behavior, even when they've been well educated. If those Nigerian scams and phishing attacks didn't work some of the time, the bad guys wouldn't keep doing them.
• Everyone else keeps innovating, and security needs to keep up. Since this magazine launched, social media has taken off, and the computer applications world (and even the security applications world) has been marching to the cloud, despite the possible security risks. More of our critical infrastructure is online.