The current issue of IEEE Security & Privacy features an article titled Becoming a Security Expert.

In it, the authors (Michael Howard, Microsoft) ponders about the question: "How do you try to learn security?"

Before the author starts answering question, he observes:
"At Microsoft, we hire thousands of engineers each year--some straight from school, others from academia, government, and industry--and the percentage of people who understand how to build secure systems is miserably slim."
Next, the lessons learned:
No single "magic tool" will make you secure. The point that Michael makes is that it takes a holistic approach that includes education, secure design, updated development toolsets, good testing techniques, and security responses. Of course, this is used to plug the Microsoft Security Development Lifecycle (MS SDL), but that was to be expected.
Stay ahead of the attackers. Another obvious one, and yet another plug for Microsoft.
It's asymmetric The old adagio: Defenders must defend all points, attackers can choose the weakest one; etc.
The article goes on to cover more (valid) observations, but I do not think it covers its title. It is not a "guide" to becoming a security expert, rather than an overview of good practices and known problems. Yet, when ignoring the Microsoft-bias, it is really not a bad article at all.
In any case, it is good to see (again) that Microsoft is indeed intending to include security aspects in the development life cycle. How well they succeeded is something that we'll see when (if?) Vista spreads more.
Reference: Becoming A Security Expert, Michael Howard. IEEE Security and Privacy, vol 6, number 1 (Jan/Feb 2008) pp 71-73