Both sides of the coin
Security is hard. Today this is even more so. In order to have a good security program you need to move past the defense-only mindset and begin to think differently. There are two sides to security, and both are needed in order to have a successful, resilient program.
In order to defend your assets, you need to fist understand what your assets are, and how they can be exploited. The more you understand your environment (physical, digital, cultural and social), the better you'll be able to understand your priorities and focus when setting up your defenses. On the other side, you also need to understand who will attack you, who will try to get to those assets, and how. Understanding who the adversaries are, and how they will mount an attack, will provide a good look into how your defenses are set up. Understanding the attackers will bring you clarity about your own team, your own policies, and best practices. It will force positive change.
Fail to do either of these things - understand your environment and understand your attackers - and security will fail. Maybe some of the attacks will be avoided, but a well organized, focused and determined attacker will always find a way. You have to be ready for that. You have to stress-inoculate yourself, the team and the organization in general.
Always look at both sides of the coin.