This post's title hardly needs any clarification, and I'll try to keep this post brief. As information security professionals, we generally play a defensive role. Very few of us are given the opportunity and the means to play the game as an attacker. Those of us who do generally enjoy it tremendously and learn a great deal from it.

Being a defender is hard; after all, as a defender you need to anticipate all possible attack vectors that an attacker might deploy against you.

An attacker, on the other hand, can take the time to do reconnaissance, scan our environment, and analyze his findings. Our defenses are visible before they are put in play, an attack is not. Then, based on the analysis, the attacker can focus his attack on what he identified to be the weakest spot in our defensive controls.

As a result, we need to strive to implement our controls (preventive, detective and corrective) as effectively as we can: we must execute with precision and excellence.

The same is true for incident response. Once an incident has been declared, we need to ensure that our containment and eradication efforts do not make the situation worse than it already is, and we need to do so quickly.

We again need to execute with precision and excellence.

If there ever is a place for perfectionists, it is in designing a defensive position.