I've been having discussions with some peers that security is a point-in-time snapshot. You don't "achieve" security and then walk away from it; it is a continuous cycle. In other words, security is a state of being that is subject to surrounding context. You can be "secure" today (via traditional measurements) and, without changing a thing, be "insecure" tomorrow.
Let's entertain some examples. First we'll start off with the realm of cryptography. Once upon a time, DES, MD5, and SHA1 were considered very secure. They were (actually, they still are even now) widespread standards in many applications. And yet, all three of those mathematical critters are now considered insecure. DES has been dead for over a decade (when the EFF built DeepCrack in 1998), MD5 fell in 2004, and the final nail was put into SHA1's coffin last week. What happened? In some cases, advances in and availability of technology diminished the provided security value of the algorithm. In other cases, mathematical wizards discovered properties that reduced the algorithms' effectiveness.
It's not the first time that advanced in technology and information has rendered a pervious security control ineffective. In the 80s and 90s, many organizations deployed proximity access control cards from HID et. al. to control access to buildings. These cards were essentially passive read-only RFID transponders operating at low frequencies (125kHz). The security of this technology was contingent on the concept that it was too difficult for attackers to create or clone new proximity cards. However, fast forward a few decades and now you have verbose information available on the Internet on how to make a proximity card cloner using off-the-shelf components; the cloner can be trivially used to defeat these legacy proximity access control systems. Fortunately vendors have moved to newer technology (iClass, Mifare, etc., even though they have their own problems too) for RFID/proximity access control, but many 125kHz systems still are in use today.
But just because you updated to a newer technology which fixes insecurity in an older technology, doesn't mean you're done. The well-accepted security patch lifecycle shows this is an on-going battle. When you are insecure, you apply a patch...which makes you secure. That is, until a new vulnerability is found in the patch (or the application areas that were not patched), and you're back to being insecure. What was fully patched and secure yesterday can be considered unpatched and insecure today; the "secure" disposition was only valid during a particular point in time. Today’s secure version is tomorrow's insecure version.
What does this all mean at the end of the day? Security is not a purchasable asset that you buy once and then have; it takes continuous investment to keep it. So keep that in mind when you are laying out your capex plans.
Until next time,