Episode 17 — Review and Maintain Security Strategies as Risks and Threats Evolve
In this episode, we are going to focus on a reality of security management that beginners often underestimate: a security strategy is not something you write once, approve once, and then consider finished. Security exists in a moving environment where technology changes, business priorities shift, and threats evolve in both speed and creativity. Even if an organization does everything right today, it can drift into risk tomorrow if it does not review and maintain its security strategy deliberately. Maintaining strategy does not mean constantly rewriting everything; it means checking whether the strategy still matches the organization’s current risks, current capabilities, and current objectives. It also means noticing when assumptions that used to be true are no longer true, such as the assumption that a system is internal only, or that a vendor relationship is stable, or that certain data is handled in limited ways. Without maintenance, security strategy becomes stale and disconnected, which leads to reactive work, inconsistent priorities, and a growing gap between what the organization thinks is true and what is actually happening. A maintained strategy keeps security work focused and defensible, because it ties ongoing decisions to an updated understanding of risk. When you learn to review and maintain strategy well, you learn how to keep security progress from quietly eroding over time.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
A helpful starting point is to understand why risk and threats evolve, because this explains why strategy must evolve as well. Organizations adopt new services, connect to new partners, and store data in new places, and each change creates new attack surfaces and new dependencies. Threats evolve because attackers adapt to defenses, discover new vulnerabilities, and follow value, meaning they target what is valuable or vulnerable. Even the tools and techniques of defense evolve, such as improved monitoring capabilities or new ways to manage identity, and those changes can make old approaches less effective or unnecessarily expensive. Risk also evolves because the organization’s context changes, such as entering new markets, serving new customer groups, or operating under new obligations. Beginners sometimes imagine risk as a stable list of dangers, but risk is a relationship between assets, threats, vulnerabilities, and impact, and all of those variables change over time. When any variable changes, risk changes, and strategy must keep up. If strategy ignores this, the organization continues investing in controls that address yesterday’s problems while missing today’s priorities. That is not just inefficient; it can be dangerous.
Maintaining strategy begins with maintaining situational awareness at the program level, which means having reliable ways to notice changes in the organization and changes in the risk landscape. Situational awareness includes understanding what major initiatives are underway, what technology changes are happening, what vendor relationships are changing, and what incidents or near-misses are occurring. It also includes understanding trends in threat activity and vulnerabilities, but not in a sensational way. The program-level question is: what changes affect our exposure, our critical assets, or our ability to detect and respond. Beginners sometimes think situational awareness is only technical, like reading vulnerability news, but management awareness is broader. If the organization is reorganizing teams, access patterns may change, creating new risk. If the organization is outsourcing a function, responsibility boundaries change, creating new oversight needs. If a major system is reaching end of life, resilience risk may rise. Strategy maintenance means you track these changes deliberately, because they will quietly shape security outcomes whether you track them or not.
A core part of strategy review is revisiting the assumptions that the strategy is based on, because assumptions are where drift hides. A strategy might assume that certain systems are segmented, that access is reviewed regularly, or that certain data types are limited to specific environments. Over time, projects and workarounds can erode these assumptions, creating a gap between strategy and reality. A mature review process asks questions like: are the key controls working as intended, are the critical processes followed consistently, and are there new dependencies that change our risk. It also asks whether the organization’s priorities have changed, because strategy should align to what the organization is trying to achieve. If leadership is pushing for rapid digital expansion, strategy may need to emphasize secure change enablement and scalable controls. If the organization is focusing on reliability and reducing outages, strategy may need to emphasize resilience and operational discipline. Beginners sometimes treat strategy as a static plan that should not be questioned, but questioning is how you keep it honest. Review is not an admission of failure; it is the normal discipline of staying aligned to reality.
Strategy maintenance also includes reviewing the effectiveness of controls and initiatives, because a strategy should be judged by outcomes, not by intentions. If the strategy includes improving detection and response, you need to examine whether incidents are detected faster, whether response is coordinated, and whether lessons learned are preventing repeats. If the strategy includes improving access governance, you need to examine whether access is being reviewed, whether least privilege is improving, and whether exceptions are controlled. If the strategy includes strengthening policy adoption, you need to examine whether teams understand and follow policies or whether policies exist only on paper. Beginners sometimes focus on whether tasks were completed, such as whether training was delivered, but the deeper question is whether behavior and outcomes changed. If training completion is high but phishing reports are low, the training may not be effective. If a new process exists but teams still bypass it, the process may be too slow or unclear. Strategy review uses evidence to separate what is working from what is theater. This is essential because security programs can become busy without becoming better.
Another important element is prioritization, because evolving risk means priorities must be revisited, not just added to the list. A common failure mode is that new risks are continuously added as new initiatives without removing or adjusting older priorities, which leads to a strategy that tries to do everything and accomplishes little. Maintaining strategy means making tradeoffs openly: some efforts are completed and can be maintained at a steady level, while other efforts become urgent due to new exposure. This is where risk assessment and leadership input matter, because prioritization must reflect both risk and organizational objectives. Beginners sometimes think prioritization is a political battle, but it can be a disciplined exercise when criteria are clear. Criteria might include asset criticality, likely impact, current control gaps, and readiness of teams to implement change. When prioritization is done consistently, stakeholders can see that changes in focus are based on logic and evidence rather than personal preference. That transparency builds trust and reduces friction. Strategy maintenance is therefore also expectation management.
Maintaining strategy also requires attention to capability and capacity, because evolving risk often demands new capabilities. For example, if the organization adopts more cloud services, the strategy may require stronger identity governance, clearer shared responsibility understanding, and improved monitoring of service configurations. If the organization increases partnerships, the strategy may require stronger third-party oversight and contractual security enforcement. Each new demand requires skills, processes, and potentially technology adjustments. A strategy review should ask whether the organization has the capability to address new risks and whether capacity exists to execute the necessary changes. If not, the strategy should include steps to build capability, such as training, process refinement, or selective investment. Beginners sometimes assume that the strategy can simply grow indefinitely, but strategies must fit within real constraints. A realistic strategy maintenance process keeps the plan deliverable and avoids burnout. It also prevents security from becoming reactive by ensuring capability growth is planned rather than improvised.
Another aspect of strategy maintenance is making sure governance remains aligned, because decision structures can drift just like technical controls. Over time, committees may stop meeting, roles may change, and decision paths may become unclear, especially during reorganizations. If governance weakens, strategy execution weakens because priorities cannot be set and exceptions cannot be managed consistently. A strategy review should therefore include checking whether authority boundaries are still clear and whether stakeholders still understand who owns what. It should also include checking whether policy and standards remain current and enforceable. If policy is outdated, teams may ignore it, and exceptions may become the norm. Maintaining strategy means keeping governance healthy enough to support consistent decisions. This is often overlooked because governance does not feel like a technical problem, but it is a major driver of security outcomes. If governance fails, even strong technical controls can become inconsistent and fragile.
You also need to maintain the narrative of the strategy, because stakeholder support depends on understanding and trust over time. A strategy that is reviewed and updated should be communicated in a way that explains what changed and why, not just as a new document. Stakeholders need to understand which priorities shifted, what progress has been made, and what decisions are needed next. This communication should avoid drama and should focus on evidence and outcomes. Beginners sometimes think stakeholders only care about big incidents, but durable support is built through steady, honest updates that show the program is learning and adapting. Communication also helps prevent rumor-driven drift, where teams assume security is changing direction based on mood. When you communicate changes clearly, people can adjust their plans and expectations. This reduces friction and makes implementation smoother. Strategy maintenance, therefore, includes communication discipline, not just analysis.
Finally, strategy maintenance should include a feedback loop from incidents, near-misses, audits, and operational experience, because these events reveal what the strategy misses. Incidents often highlight gaps in detection, coordination, or access governance. Near-misses highlight where luck prevented harm but weaknesses remain. Audits highlight control gaps and evidence weaknesses. Operational experience highlights where processes create friction and workarounds. A mature security program treats these signals as inputs to strategy maintenance rather than as isolated emergencies. This does not mean reacting to every minor event with major change, but it does mean identifying patterns that suggest the strategy needs adjustment. If similar issues recur, the strategy may need stronger emphasis on a capability or process. If new types of issues appear, the strategy may need to expand to cover them. This feedback loop turns the security program into a learning system. Learning systems improve steadily and avoid repeating mistakes.
In conclusion, reviewing and maintaining security strategies as risks and threats evolve is about keeping security direction aligned to reality, not freezing it in a moment that has already passed. Risk evolves because organizations change, threats adapt, and obligations shift, and a strategy that ignores those shifts becomes stale and ineffective. Maintaining strategy requires program-level situational awareness, regular review of assumptions, evidence-based evaluation of control effectiveness, and disciplined reprioritization that includes tradeoffs rather than endless additions. It also requires attention to capability, capacity, and governance health so the strategy remains deliverable and legitimate. Clear communication keeps stakeholders aligned and preserves trust, while feedback from incidents and operational experience ensures the strategy learns rather than repeats errors. When security strategy is maintained as a living guide, the organization gains a stable way to adapt without chaos, keeping security investment focused and making progress durable even as the environment changes.
