security 1. you can't secure something if you don't understand how it works (to a reasonable degree) 2. people like setting rules not following them 3. people like rules for others but not for themselves 4. securing infra is more difficult if it's not been deployed in a 'reasonably safe' state to start with. 5. securing something in use is much harder than doing it in a lab 6. data is like oil, it gets everywhere 7. most security is about good organisation, most people don't like admin work so they tend to not like being organised 8. you can't control everything, you have to understand that 100% security isn't a real thing 9. monitoring costs money and hopefully you never really need to use it 10. if someone is doing response they need authority to take action otherwise you are just watching a car crash and saying: oh dear