Despite state-of-the-art technologies and enhanced organizational policies, the security of corporate data is not a guarantee. The possibility of the failure of security, however, is. Given the certainty of failure, it is surprising that information security curricula do not include post-incident reviews to gather the lessons learned from failure and to better prepare students to enter the workforce ready to plan for and manage security incidents.This paper proposes that undergraduate and graduate courses in information security include the topic of failure, and address the performance of a post-incident (post-mortem) review as a best practice.