We assume there is no articulated, desired security state. Our security approach is about maintaining "adequate" enterprise security state.
An adequate enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.
Protection strategies include principles, policies, processes, procedures, controls, and performance indicators and measures.
Those strategies must be alligned with the organization's strategic drivers and business objectives.
Also security state is constantly changing due to business and risk environments and the variation in risk tolerance that management is willing to accept.