The simplest answer: because exploring the attacker’s perspective helps to identify, and qualify the nature of risk, be it digital, physical or human. It is a simple thing (in theory) that has been around for a long time:

One who knows the enemy and knows himself will not be endangered in a hundred engagements. One who does not know the enemy but knows himself will sometimes be victorious. Sometimes meet with defeat. One who knows neither the enemy nor himself will invariably be defeated in every engagement.
— Sun Tzu

So, essentially, if you rely only on a good defense you might be somewhat protected against the more common attacks, attacks that most likely will be just probes. However, if you have a good defense and proactively try to understand and simulate your adversaries, you will be able to build a stronger and more resilient defense. Resilient being the key.

The first thing that becomes clear, once you begin adding a more adversarial and proactive approach to your security planning, is that a good and capable defense can only be established once you know how it will be attacked. In other words, rely only on the industry standards, or on the checklists of certifications, and you’ll be able to cover some basics; actively test those standards and checklists and you’ll be able to identify what actually works, and what needs to be strengthened. Again, look at Sun Tzu’s quote.

Remember a simple fact: the attacker ALWAYS has the advantage, he needs to succeed only ONCE. The defender? Well, he needs to succeed ALL the time. Add to this the fact that attackers don’t play by any rules (or company policies), and are free to experiment with attack techniques that the defenders aren’t even aware of, exploit anything in their path… You get the picture.

Factor offensive security into planning. Bring a good team of attackers to test your security. Let them become your worse adversary. Let them show you how to be more secure.

(Note: A version of this article first appeared on the Red Teams Blog in January 2016)