Finding flaws is much easier than fixing flaws. That's a fact. Happy to debate it. If this were not the case, we might just have this security thing all wrapped up. There are hundreds of tools that are reasonably successful at telling us what we are doing wrong (think compliance and vulnerability scanners). However, the solutions to these problems are not always as straightforward as they might seem. Sure, our tools and penetration testers will give us a proposed or recommended solution and I am sure those solutions work for someone, somewhere, but often they don't work for us. If only it was as simple as "patch this software", "update that library", or "fix that code". As defenders we live in a world of ambiguity and complexity. While attackers only need to find one or in some cases a few flaws to have impact, we need to fix or be prepared to respond to all flaws. Even the unknown or unidentified. This is no easy feat. It requires careful analysis and planning. We can't be afraid to collect data and scrutinize, critique, and refine our approach. Iteration and continuous improvement are key. Root-cause analysis and honesty about what we can and what we cannot accomplish are essential. However, this alone will not lead to success. We need to be great communicators as well.
In order to communicate effectively, we need data, but many of our stakeholders either don't care about the data or don't understand the data, which can prevent us from getting the help we need. What resonates with our stakeholders? How do we get our data to tell a story or craft a business case that does resonate so that they listen? Don't get me wrong, some of our stakeholders love the data and for those stakeholders we will be eternally grateful, but, what about the others?