Security is often treated as a necessary evil: something that is required but not important. Therefore, a lot of organizations take a check-box approach to security and if they've done the bare minimum asked for in the audit, have the tool, wrote the process, and educate users once a year then security is on autopilot. If an organization appears to be doing everything correctly then how can we discern immature security programs from mature ones? What does their leadership and strategy look like? How do they handle breaches and post-incident response? Coming from an offensive operator, this talk will touch on the foundations of establishing an effective security program in a large enterprise, the differences in maturity levels, and analyze their resilience to cyberattacks in real-world situations.