When sh*t happens (and it always does), it’s a good idea to look back and figure out what went wrong. What decisions could you have made differently? How does your team prevent the same nasty issues from happening again? Sometimes, after the analysis you’ll say “I did the best I could with the information I had … I see things differently now … but I can’t feel too badly … hindsight is 20/20.” And then you feel better because even though you are responsible for fixing the issues, you weren’t “at fault.”
However, that old adage – and the dilution of accountability – applies only if you could NOT have reasonably known better when things went wrong. When it comes to information security, if something bad happens to your organization (e.g. a data breach or your website gets hacked), the odds are that you don’t get to say “hindsight is 20/20”. Instead, you probably need to take it on the chin. Why? If yours is like most organizations, you won’t take security seriously enough until after something yucky happens. If your systems get exploited by basic intrusion, manipulation, social engineering, or even negligence – you failed. You failed to appreciate the importance of good security practices and education for your team. It requires investment. It’s necessary. It’s preventative.
The best advice we can give people is to perform due dilligence, assess your company’s risk tolerance, make the investments, and cover your ass! I’m not saying that investing in security will immunize you from threats. I’m saying you should concentrate on foresight, not hindsight.