Many of us grew up with one version of Cinderella or another. The step child that's horribly mistreated by the new parent is a scary story. In the Disney version, everything works out fine. However, if you read some of the original Grimm versions of the story (and there is more than one version), not every Cinderella gets the prince. I think, far too often, information security gets treated like Cinderella by IT departments.
We've all been on the project where the proof of concept gets released to production. How many of us are thinking about security while we're doing that first sprint? I sure don't. I'd be surprised if many of you did. Yet, if we get that MVP, minimum viable product, it can go straight to production. When someone calls out, "hey, we should secure this," the answer is usually "we'll get to it later." Like Cinderella and the prince's ball, later would never have arrived without the intervention of the fairy godmother. I think you'll agree with me, there are very few fairy godmothers running around fixing IT projects with their magic wand.
So what we do? Well, I'd say you need to be your own fair godmother. You're going to have to try (note, try) to push the security on your projects. It's going to have to be you. Why you? Cause you're the one who knows that you need the security. Sadly, there is no magic wand to make it happen. Instead, you're going to have to do hard work. It won't be easy to convince the powers that be that the MVP still needs some work before it gets released. You'll have to convince people that, in addition to functionality, the security of the information is a fundamental part of what defines "minimum."