I'll go with the obvious. If you don't believe in what you say, nobody else will. Do the work, prepare, read opposing arguments to your theories, change your opinions if needed, build knowledge... Do whatever you have to, but start by believing in what you say. Start backing up with actions, even small ones. Walk the talk, do it consistently. Be curious. You also need context about the company, the people, the processes, the assets, the competition, the legal environment, the finances... That's where business skills can be useful. Then, the most important thing is to make it actionable. Have solutions, not just complaints. It requires to be able to design a strategy which means at a minimum performing a diagnostic, defining guiding policies and taking coherent actions. If you just have ideas, people can dismiss them or say yes to everything to get rid of you, when you have a plan that's when things get real because they commit to something (in writing ;) ). Then when you have this action plan you should communicate it. That requires human interaction, which means whatever your picks are in a long list of specialties (psychiatry, psychology, criminology, communication, sociology...). Of course, yo have to also follow up, keep things organized, track results. So I guess project management skills. The last thing, is that you should manage your expectations. I'd be surprised if you manage to do everything on the first try.

Most people going into Security have either : a higher education diploma, or real work experience. That means they don't start on a bank page, we can't (or at least we shouldn't have to) treat them as toddlers. They should be able to apply basic reasoning skills. Particularly one of the standard principles is that security is always evolving and that your job is to stay one step ahead of the attacker. If that is really true, how can you say that the domain evolves, but that the practices associated to i t should not change ? If you have this mindset you should always strive to find things to improve. I've never seen anybody in IT applying a tutorial, see that it obviously failed, and assume that because he applied the tutorial properly he did everything he could. In that situation people immediately go into diagnostic mode and try to fix things, adapt the tutorial, check the versions, check access rights, read logs... I believe that for security we should do the same. It's more difficult because the feedback is not as clear and immediate but I still think it's possible. (which should immediately bring the question in everybody's head : if we need feedback to learn quickly, how can we improve the way we get feedback on our actions in security to make easy and fast learning a reality ?). So to answer your question, it stops being acceptable to claim ignorance when you know something doesn't work (or that you made a mistake) and you don't even TRY to fix it. At that point it's called laziness or resignation/surrender. I am not saying you can always fix it, but you should at least think about it to determine whether or not it is fixable and what it would take to fix it. That reminds me of a very common saying : trick/fool me once...