Statistics are speaking loudly! There is a disconnection between defenders’ perceptions of the value of the security controls they implement, and the most common attack vectors leveraged by penetration testers acting as potential attackers. This presentation highlights the key results of a two-year-long research study aimed at understanding this disconnection. The perceptions and practices of 120 cybersecurity professionals were compared with 182 findings from 65 penetration tests conducted across North America. By linking the defenders’ perception with their reported actions and cross-referencing the results with statistics on penetration testing, we uncovered important information gaps. We present dozens of open source tools and methods to rectify these gaps, but also discuss how the solution may be at the human level. We offer avenues on how to shift the uncovered misaligned perceptions and change the defenders’ decision-making process to, ultimately, start solving the cybersecurity quandary we currently live in.