Successful attacks almost always take advantage of conditions that could reasonably be described as 'poor cyber hygiene ' including the failure to patch known vulnerabilities, poor configuration management, and poor management of administrative privilege. In this session, we'll dig a little deeper into the idea. We'll discuss the importance of cyber hygiene as a root cause issue for attacks, and as a defensive strategy. We look at various attempts to define a specific set of practices to include, and how this might help establish a baseline for action. And suppose hygiene isn't enough, what then? 'Finally, we'll look at what might be done to turn cyber hygiene from a 'notion ' or a general exhortation to do better ( 'cheerleading ') into a large-scale program of improvement.