We’re in the midst of a massive sea change in software security. We started with shift left years ago. Today, we have to worry about provenance, infrastructure-as-code, the software our engineering teams are building to create their pipelines, and supply chain security, among other things. Our security programs have to shift everywhere with that code to provide good security. As everything becomes code, governance-as-code becomes more important, but it is maturing more slowly than many other aspects of “as-code” and automation. As technology moved from mainframes to web, mobile, embedded, and cloud, security maturity did not keep up. For example, guidance is lacking, and the tools market is fragmented. EO 14028 and its downstream guidance are driving a lot of change today but without specific guidance, much of it is just an opportunity to make the same software mistakes again. Let’s take a people, process, and technology view of some upcoming challenges for security executives.