With massive data breaches being announced almost daily, the number of IT professionals moving into the security arena continues to grow. Some of these (like myself) come from systems and network admin backgrounds. Many of these "recovering admins" think they know security because they managed firewalls, established VPNs and created AD password policies. Most, however, are wrong - they don't understand the enemy, his tactics or what's at stake. To help with this learning process, we will work through a "12-step" program designed to help face the harsh reality, dispel many common misconceptions and provide some clear directions to move forward.