The red boxes correspond to the project phases were we spend most of our InfoSec dollars today. Do you see the problem with this? We are trying to solve the problem at the most expensive time in the project.

Here is where we should be solving security problems whenever possible: at the beginning. This may seem obvious, but our actions as an industry do not reflect that we have learned this lesson.

This graph represents the classic study conducted by IBM to determine the cost of a bug.
The short version: it gets exponentially more expensive the longer it takes to find it.