Everything we do is based on some expectation of a particular result. Do you know what is expected of you? Are expectations related to security, resiliency, and quality clearly articulated? When writing the story about secure software, expectations are critical; and clearly communicating them is just as critical. Security needs to be intertwined throughout the software development process with clear expectations and measurable goals. When we have a process that only includes security testing at the end of development; right before production, or even after deployment, what’s the expectation? Do we honestly expect to be able to test ourselves secure? It hasn’t worked for over a decade, so we need to reevaluate what we are doing.