How Not to “Leeroy Jenkins” Your Cybersecurity Program