A large portion of security professionals think that their job is to prevent bad actors from gaining access to trusted resources. Yes, in isolation that is a true statement. But the implications of that position hide what is really supposed to happen. Instead, it is the job of infosec pros to ensure only appropriate actors can access trusted resources. One way this is accomplished is through what is called Security Chaos Engineering, which tests security resilience before some attack happens. It is an evolution of the pioneering work that was first done at Netflix many years ago. Now there are a number of similar products and related practitioners in this field. You can read my blog for RSA here where I describe this practice in detail.