The report adds: "The definition of a successful defense has to change from 'keeping attacks out' to 'sometimes attackers are going to get in; detect them as early as possible and minimize the damage.' Assume your organization might already be compromised and go from there."
Address : <http://www.networkworld.com/news/2011/080811-apt.html>

Why? It’s simple - most of the security professionals are tired of being hamstrung by C-level executives and frustrated that their employers are content to be only as secure as the auditor says they have to be. Who in the industry hasn’t heard senior management go so far as to say they’d be willing to take the “hits” from fines than pour dollars into compliance mandates whose utility is questionable? The mindlessness of using regulatory compliance  as a information security ceiling hurts both the ego and sense of professional responsibility of practitioners. One might even go so far as to posit that some could choose to go the Anonymous route as a way to take matters into their own hands.
Address : <https://threatpost.com/en_us/blogs/opinion-are-anonymous-members-forged-crucible-it-compliance-080611>

Indeed the whole "Shady Rat" fiasco reeks of companies relying on under-qualified, incompetent and uneducated security professionals, policies, oversight and management. There is no "but..." - it is what it is: "under-qualified, incompetent, uneducated" *people* - not technology - that are to blame. However, as Sophocles once said "What people believe prevails over the truth."
Address : <https://www.infosecisland.com/blogview/15658-That-Shady-Rat-Was-Only-a-Security-Peer.html>