There are certain truths that only philosophers can argue over.
You cannot prove a negative.
The “Machete Order” is the best way to watch Star Wars.
In the realm of cybersecurity, however, believing that there is an achievable end goal is a misleading mindset. Cybersecurity is a process of perpetual motion. A process that never sleeps, cannot stagnate, and if successful, never ends.
People, even highly-caffeinated security gurus, require down time. Whether that is something as simple as getting a good night’s sleep, or “pwning” the competition in the latest online game, a person is not always able to be on-duty. And that’s OK. Security processes should account for personnel dependencies, such as implementing overlapping shifts or establishing monitoring and alerting systems.
Technology is a fast-paced world. There is always something new: the next great programming language or ever faster, denser, and smaller hardware. Security processes need to be flexible, cannot stagnate, and must evolve along with the technology. For example, moving to a Zero Trust network security model can be part of accounting for the explosion of Internet-of-Things (IOT) devices.
Good security processes understand that part of not becoming complacent is to incorporate processes that re-evaluate existing processes. Such as how NIST SP 800-63 password policies were recently revised to now no longer recommend forced password changes after a defined period of time.
This is not to say that goals should not be established or that they cannot be achieved, but that goals are not the end. They are more like milestones on a long journey that never ends. New, achievable milestones are how security processes improve and mature. While previously achieved milestones occasionally need to be revisited and reinforced.
Security is not an end goal to be achieved, it is a never-ending process with a purpose.