We assume there is no articulated, desired security state. Our security approach is about maintaining "adequate" enterprise security state.

An adequate enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.

Protection strategies include principles, policies, processes, procedures, controls, and performance indicators and measures.

Those strategies must be alligned with the organization's strategic drivers and business objectives.

Also security state is constantly changing due to business and risk environments and the variation in risk tolerance that management is willing to accept.

Effectively achieving and sustaining adequate security means more than complying with regulations or implementing best practices.

Thus processes to plan for monitor, review, report, and update an organization's security state must be part of normal day-to-day business conduct and risk management.

It is a continuous process - ability to have the capacity to change before the case for change to becomes desperately obvious. Resilient organization directs its security activities toward strategic drivers.

So security is not only about technology - Real security is about people. It doesn't matter how your network is configured, what kind of boxes you have, or how many security devices you've installed.