More often than not, the information security industry tends to focus on the negative. It’s hard not to. If we’re not pointing out our numerous breaches and outdated systems, it’s about how we’re getting owned by month-old vulnerabilities rather than that flashy zero-day or advanced persistent threat.
And it might sound like the noble and “right” thing to say when we apologise, that we can do better, and accept that we made stupid, avoidable mistakes, I think a lot of information security professionals are quite often simply too hard on themselves and on their colleagues. Why? Because when security is done right, you rarely ever hear about it.