I did a SANS@MIC talk on common security misconceptions: the pits and fallacies we fall into while advising ourselves and others in information security. It covers the assumptions that quietly derail good security programs, from over-trusting a single control to mistaking compliance for security, and how to reason past them. I hope it is useful.