My interview with ISC2 on how secure programming and security testing are not always preemptive fault-management methods.