Things that are true are often heard too much and we become “immune” to them. Other things are true but not heard often enough. This is especially true at Info Security conferences. My list (add yours, please):
| Heard too often | Not heard often enough |
| You need to have an information security policy | Control testing should never stop |
| You need to learn how to talk security to the “c-suite” | You and your staff are part of the workforce; what are your practices? |
| Awareness is the key; your technology can’t protect you from untrained workers | If everything is encrypted, then nothing is |
| Just signing that form when they’re hired doesn’t get them committed to your security program | People, by and large, want to do the right thing |
| Just clicking through the annual training doesn’t get them committed to your security program | Your commitment has to be to the security of the enterprise |
| XYZ company was PCI compliant when they were hacked | If you think a nation state is really targeting your enterprise, you need to make contacts with law enforcement |
| You have some things that aren’t subject to security regulations like PCI or HIPAA |
{Cyber Security} 
I’m tempted to move “You have some things that aren’t subject to security regulations like PCI or HIPAA” to the other column. The more I look, the more it seems there are actually *not* that many people acknowledging that some data which needs protecting is not subject to regulation at all. More on this in my next post.