Breaking the Silence: Why Infosec Leaders Should Talk About Failure

2025-06-18

It’s hard to admit it, but the public sector runs on silence when it comes to security failures. Everyone understands the risks—public reputation, regulatory scrutiny, and a sometimes-punitive internal culture. So when something breaks, the instinct is often to keep quiet, fix what’s visible, and move on, hoping no one asks too many questions. But here’s the harsh reality: Staying silent about mistakes sets agencies up to repeat them.

Singapore’s infosec landscape is no different. Agencies field thousands of incidents every month, most minor, some near-catastrophic. Yet very few ever get talked about openly, even in closed forums. The result? Lessons are learned in isolation, and the same traps catch new teams again—an orphaned password, a misconfigured firewall, the legacy server nobody assumed was still live. Talented people fix the immediate problem, but the root causes stay buried.

This culture hurts more than it protects. The best leaders—those gunning for CISO roles and serious transformation—get traction not by hiding risk, but by surfacing it. Not every incident needs an all-hands disclosure, but agencies thrive when failures are analyzed in a way that encourages honest debate and collective improvement. Far too many post-mortems focus on technical remediation, missing the key questions: Why did it happen? Would anyone feel safe speaking up next time?

The fix is simple, but rarely easy. Infosec leaders should normalize honest retrospectives in a way that doesn’t make scapegoats of staff or embarrass project teams. Sharing sanitized stories—what failed, how it was caught, and what really changed as a result—strengthens culture and attracts the kind of talent who want to drive real improvement. It’s how you build resilience, not just compliance, in the face of evolving threats.

Aspiring CISOs should lead with candor, not just credentials. In a field where silence often feels safer than transparency, those willing to break it set a new standard for trust, effectiveness, and lasting security transformation. The old way—a closed loop of mistakes—might feel safer for now, but it’s only through loud, honest reflection that agencies grow truly strong.