When an enterprise suffers an application security incident, a whirlwind of activity takes place to triage the immediate problem. Application and security teams work side-by-side to identify the damage, implement a quick fix to prevent further losses, and perform a root-cause analysis to determine why the vulnerability existed in the first place. Savvy information security teams can leverage the root-cause analysis as a catalyst to enhance the assessment of applications and improve an inconsistent and underdeveloped application security program. However, more often than not, these fledging improvements can get crushed under the inertia of the organization. It can be difficult to shift people's attention from the "quick-fix" to "fix-the-root-cause" once the initial damage has been mitigated. The complexities of implementing an application security program can frustrate even experienced practitioners and the difficulty in establishing a business case can create stall-out, due to the large costs that many of these initiatives carry. I will share some experiences, strategies, and approaches to overcome these challenges and introduce sustainable and measurable improvements into your application security program after an incident has occurred.