Security teams and leaders know the value of regular external and internal testing of technical controls for their organization's security program, but what about the other stuff? Subjects like IT security management, threat modeling, incident response and security architecture improvement aren't usually addressed in most penetration tests, and compliance driven audit processes rarely extend beyond the regulation or standard that is being audited. During this presentation, Caspian Kilkelly, senior advisory services consultant at Rapid7, will cover a few ways to examine, analyze, review and improve organizational and product-oriented security programs using data and experience from Rapid7's consulting teams. Drawing data and experience from penetration testing, research, incident response, and advisory services work, we'll examine common gaps in security programs, and ways of solving them using a cyclical approach to security improvement.