There are two huge problems: Software development and network awareness. The software development aspect is pretty straightforward. Very few people know how to write good code and even fewer know how to write secure code. Network awareness is more subtle. All through the 1990s until today, organizations were building massive networks and many of them have no idea whatsoever what’s actually out there, which systems are crucial, which systems hold sensitive data, etc. The 1990s were this period of irrational exuberance from a security standpoint – I think we are going to be paying the price for that, for a long time indeed. Not knowing what’s on your network is going to continue to be the biggest problem for most security practitioners.