Any given security mitigation can, and will, eventually go obsolete based on changes in the environment. The question becomes: how can we tell when a mitigation is losing its effectiveness? When is it time to double-down on what’s working or divest of what we no longer need to maintain a secure environment?