Something I often say at work is that I can't "do" security. While this may sound odd given my job title grammatically it just doesn't make sense and I do believe in being clear about what can be done.
You can feel secure, you can be secure but you can't do secure. While this might seem like something of a word game I do think it's an important distinction. The value of security is in the outcomes which are primarily the emotions of our stakeholders, this is something that you cant directly modify.
Reasonably, what should you therefore expect from your security team? My view is that essentially its a combination of three disciplines; risk management, quality management and incident management. Risk and incident management get plenty of air time so I'll leave those for another day - in any event they could easily be re-phrased as establishing your quality tolerances and defect management.
Time and again major breaches could (at a technical level at least) be classified primarily as a long lived failure of quality management. While its certainly true that new issues need to be dealt with, at least equal care and thought must be given to dealing with the older issues. Put bluntly if a vulnerability has been around for a decade then the tooling to attack it will be very mature.
It may not have the same Hollywood appeal as dramatically sprinting into action with set of mirror shades and leather trench-coat at every new security advisory; but building a security strategy on top of a considered quality management model is a lot more sustainable and ultimately far more cost effective.
As with last year's report, the 2016 Verizon DBIR showed that just 10 vulnerabilities accounted for 85% of all successful exploit traffic. Worse, six of those 10 vulnerabilities were disclosed between 1999 and 2003