Schuyler will talk a little bit about about the need for information security professionals to take a step big and observe the big picture within their organization. When choosing to implement product X or hire pro services to do job Y, consider what goal it is you are trying to accomplish ( get away from the checkbox approach ). Consider the overall security posture of your organization and strategically choose the items which will have small impact to the business / end users but large impact to the overall security posture. In addition, will cover some quick technical wins infosec professionals can consider. For example, consider a URL filtering solution which performs URL filtering on all outbound ports and services ( not just web browsing ). On this solution, consider blocking or controlling access to often overlooked categories like Questionable, Unknown, DynDNS. On egress filtering, ( well first.. do egress filtering ) then restriction outbound DNS/NTP traffic by destination. Use GP to block execution from TEMP dirs. EMET.. etc.