The current state of defensive InfoSec in nearly every organization remains: to be determined. That this is the state after after a full decade of false-innovation and industry-standard stagnation is hardly surprising, but still damn depressing. There IS a solution – but it will require that you leave your preconceptions at the door and get ready to violate the most cherished beliefs of the industry. **Availability of CPE hours for this talk remains to be determined.