A few years back, I knew a guy who had a mole on his forehead, which started to grow and change shape. As a survivor of melanoma, I know this is not a good thing.
Some friends and I urged him to go to the doctor to have it looked at, but he refused. ”I don’t want to go to the doctor – it might be cancer.”
Sounds ridiculous, doesn’t it? But that argument is similar to what I hear from information security professionals all the time.
They don’t want to confirm the issues they already know they have (through vulnerability scans, pen tests, security assessments, configuration audits, etc.) because they know it will likely turn up a list of things they don’t want to deal with.