I. Review how the successful implementation and testing of a new and improved security profile may provide a false sense of security for an organization as it feels more confident about the protection level it receives. The organization should always be on guard.
II. Outline that once changes have been implemented and mandated by an upgraded security program, a lot of time has likely passed. Hence, the environment and security needs may have already changed and need additional refinement.
III. Review factors that may influence or trigger changes that have to be made in an information security environment:
• Acquisitions of new assets and the divestiture of old assets
• Emergence of vulnerabilities associated with new or existing assets
• Shifting business priorities
• The formation of new partnerships and potential dissolution of old partnerships
• Personnel who departed who were trained, educated, and aware of policies, procedures, and technologies within the business
• The hiring of personnel
IV. Emphasize the importance that if a strong structure of procedures and systems is in place that are adjustable to everchanging environmental conditions, the security protocols in place are likely to remain sufficient.