I watched with great interest the forum on cybersecurity that featured some of the leading thinkers on the subject. Jeff Moss was one of the speakers and what he had to say resonated strongly. You can read about Jeff Moss who is well known in hacker circles. I did not agree with everything he or others said, but there was one thing he emphasized that I believe was particularly relevant. I will paraphrase . . .
The key issue is that there is a lot of bad software code being written. The textbooks for college and otherwise has bad code. The concepts are correct, but the actual example code is not the code you want to actually write or use in living software. The discussion forums on the Internet in which people have questions about how to do a certain thing has bad code. Those who respond to those questions present the right context, concepts, and analogies but the code that is shared may not always be what you want to directly copy and paste into a program where the solution would apply.
Likewise, there are bugs that are 25+ years old and best practices that are 20 years old that few of us encounter or apply. When you learn how to code, you almost always learn functionality not risk management. All people who code, whether we are good at it or not, can understand functionality in a very deep and direct way. Risk management? It oftentimes conflicts with functionality and we are just not inclined towards developing with risk in mind. That seems to short-circuit our instinctive penchant for positive thinking in terms of achieving the goals that functionality delivers.
The real solution to cybersecurity is the fundamental shift in design of how we code and how we put together systems. Until that happens with greater regularity and as a tenet of perspective there will always be breaches. Do I understand security? Not like an expert, but I am more aware than I was and over time my understanding will grow. What Jeff Moss has articulated is that bad design creates security vulnerability. In other words, the thinking that has gone into the program and/or the hardware is the true source of the security breach. The thinking is the place to start.