Are you a mathematician or a priest?
What I mean: I'm always amazed by the lack of real data brought to bear in computer security and how people push agendas that have little basis in fact. It can leave an old computer security pro like me disillusioned.
We're told that buying the latest and greatest security product will be the answer to all our prayers. We buy it and implement it -- yet it doesn't stop the bad guys from breaking in.
If you want to become a better computer security practitioner, use your own data to make better decisions. It's there for the taking.
I'm surprised at how many companies don't understand how they've been compromised. You can talk to almost any company's computer security employees and ask, "What is the No. 1 way your company is most exploited?" but rarely will you get the right answer. The CIO or CSO won't know. And if the very people in charge of your defense don't understand how to rank threats by risk level, how can they fight them effectively?
Instead, you usually have one or more influential employees (and their preferred vendors) pushing solutions that sound great, but rarely address big problems head-on. When I confront computer security employees with what's really wrong and how to fight it better, I'm often surprised how many leave the meeting hearing something else.