When I was running operations in Iraq, we had a saying.
The enemy gets a vote.
It meant that no matter how good your plan was, the other side would do something you didn’t expect. They’d adapt. They’d find the gap. They’d make you adjust.
Your plan was a starting point, not a destination. The moment you treated it as finished, you started losing.
I think about that saying constantly in my work now.
Because the families who frustrate me most are the ones who built a security system five years ago and haven’t touched it since.
The Frozen Security Model
I was on a call last week with a family office principal who was genuinely proud of his protection model.
And five years ago, it was good. State of the art. He’d hired a reputable firm. He’d invested significantly. He’d done everything right.
But the threat landscape doesn’t stand still.
Five years ago, deepfakes weren’t convincing enough to fool a trained eye. Now they are.
Five years ago, AI-driven social engineering was a theoretical concern discussed at security conferences. Now it’s operational, being used by criminal organizations and hostile actors in real attacks.
Five years ago, the geopolitical risk map looked completely different. Regions that were stable are now contested. Supply chains that were reliable are now fragile. Travel that was routine now requires additional planning.
Five years ago, most families hadn’t even considered digital exposure as a category. Now it’s often the primary attack vector.
His security model was frozen in 2021.
The threats targeting his family were operating in 2026.
I sat with that disconnect for a while after the call.
The Gradual Obsolescence Problem
I see this constantly.
Estate security systems that haven’t been updated since the day they were installed. The cameras still work. The sensors still trigger. But the integration with current threat intelligence is nonexistent.
Background check protocols that were considered thorough a decade ago. They verify criminal history and employment records. They don’t account for social media footprints, digital connections, or the kinds of open-source intelligence that’s now available about almost anyone.
Travel planning that assumes a world that no longer exists. Routes that were safe three years ago may not be safe today. Countries that were stable have experienced significant changes. The risk calculus has shifted.
Communication security built around tools that have since been compromised or superseded. Encryption that was adequate five years ago may be vulnerable now.
These families invested. They planned. They built systems. They did the work.
What they didn’t account for was that the work never stops.
Static systems in a dynamic environment drift into obsolescence without anyone noticing. There’s no alarm that goes off. No notification that your security model is now inadequate. Just a gradual widening of the gap between what the world demands and what your system delivers.
How Threats Evolve
Let me walk through how the threat landscape has shifted in just the last few years, because understanding the velocity of change is essential to understanding why static security fails.
Synthetic media. In 2021, creating a convincing deepfake required significant technical expertise and computational resources. The results were often detectable by trained observers. By 2026, real-time deepfakes can be generated on consumer hardware. Voice cloning requires seconds of sample audio. The barrier to entry has collapsed.
AI-powered social engineering. Phishing emails used to be clumsy and generic. Now they can be personalized at scale using AI that analyzes your communication patterns, your interests, your relationships. The attacks are more convincing and more targeted.
Open-source intelligence. The amount of information available about any individual through public sources has exploded. Data brokers, social media, public records, leaked databases… the raw material for targeting is vastly more accessible than it was five years ago.
Geopolitical fragmentation. The world has become less predictable. Regional conflicts, sanctions regimes, travel restrictions, and political instability have increased in ways that affect security planning for anyone who travels internationally or has assets in multiple jurisdictions.
Supply chain vulnerabilities. The systems you rely on, whether physical security hardware, software platforms, or service providers, have their own vulnerabilities. Compromises in your supply chain can create exposure you never anticipated.
Regulatory complexity. Privacy regulations, security requirements, and compliance obligations have proliferated. Security models that were adequate under previous regulatory frameworks may now create legal exposure.
Each of these shifts happened incrementally. No single change was dramatic enough to trigger a comprehensive security review. But the cumulative effect is transformative.
A security model designed for the 2021 threat landscape is not equipped for 2026.
The Symptoms of Drift
How do you know if your security model has drifted into obsolescence?
Age of last comprehensive review. When was the last time a security professional assessed your entire protection model against current threats? Not a maintenance check, not a camera repair, but a strategic review. If it’s been more than two years, drift has almost certainly occurred.
Technology generation gap. Are you using security technologies that have been superseded? Encryption protocols that have been deprecated? Communication tools that are no longer considered secure? Hardware that’s no longer receiving security updates?
Threat model currency. Does your security planning account for deepfakes, AI-powered social engineering, and current OSINT capabilities? Or is it still oriented around the threat vectors that were top-of-mind when the system was designed?
Staff training recency. When did your household staff, executive assistants, and security personnel last receive training on current threats? Do they know what a BEC attack looks like? Do they understand social engineering tactics that weren’t common three years ago?
Protocol relevance. Do your verification protocols account for synthetic media? Do your travel planning procedures reflect current geopolitical realities? Do your communication security practices address current vulnerabilities?
Integration status. Are your various security systems, physical, cyber, personnel, actually integrated? Or do they operate as separate silos that were never designed to work together?
If you’re answering “I’m not sure” to these questions, that’s itself a symptom. Robust security requires clarity about what you have and what it does.
Why Families Don’t Update
If drift is so dangerous, why don’t families update their security models more regularly?
The investment justification trap. When you’ve invested significantly in a security system, there’s psychological pressure to believe it’s still working. Acknowledging drift feels like admitting the investment was wasted.
No obvious failure. Unlike a car that breaks down or a roof that leaks, a security system that’s gradually becoming obsolete doesn’t announce itself. It continues to function. It just functions less effectively against threats that have evolved.
Vendor incentives. Many security providers are incentivized to sell equipment and installation, not ongoing assessment and adaptation. The revenue model favors one-time projects over continuous improvement.
Complexity avoidance. Security is already complex. The prospect of reviewing and updating it regularly feels overwhelming. It’s easier to assume everything is fine.
False confidence. Nothing bad has happened, so the system must be working. This logic ignores all the threats that were deterred by luck or circumstance rather than protection.
I understand these dynamics. They’re human. But they’re also how families end up with security models that feel protective while actually containing significant gaps.
The Military Mindset
In military operations, we understood that the plan was a living document.
Before every mission, we’d brief the plan. During execution, we’d adapt as circumstances changed. After action, we’d review what worked and what didn’t. The lessons learned would feed into the next iteration.
This cycle wasn’t optional. It was doctrine.
Because we knew that the enemy gets a vote. That conditions change. That the map is not the territory.
The families who stay protected aren’t the ones who built the best system once.
They’re the ones who keep updating it.
They conduct regular assessments. They stay current on threat evolution. They train their teams continuously. They treat security as an ongoing process rather than a completed project.
This doesn’t mean constant disruption or paranoid vigilance. It means scheduled reviews, systematic updates, and a culture that treats security as a dynamic discipline rather than a static installation.
The Assessment Framework
Here’s the framework I use when evaluating whether a security model has drifted into obsolescence:
Threat currency assessment. Enumerate the threat vectors that are most relevant to the client’s profile. Compare against what the existing security model was designed to address. Identify gaps where current threats aren’t covered.
Technology audit. Review all security technologies in use. Check for deprecation, known vulnerabilities, and generation gaps. Identify systems that need updating or replacement.
Protocol review. Examine all security protocols, from verification procedures to emergency response plans. Test them against realistic scenarios incorporating current attack methods.
Staff readiness evaluation. Assess whether personnel have been trained on current threats. Conduct exercises to identify gaps in awareness or response capability.
Integration analysis. Evaluate how well different security components work together. Identify silos and coordination gaps.
Risk model update. Reassess the overall risk landscape based on current conditions. Reprioritize protection efforts based on updated threat analysis.
This isn’t a one-time project. It’s a recurring process that should happen at least annually, with more frequent updates for rapidly evolving threat categories.
The Questions That Matter
When I meet with a family who hasn’t reviewed their security model recently, I ask these questions:
When was the last time you stress-tested your security model against current threat vectors, not the ones that existed when you built it?
When was the last time you updated your assumptions about which regions are safe for travel, which communication channels are secure, which staff have appropriate access?
When was the last time your security team briefed you on how the threat landscape has changed in the past year, and what those changes mean for your protection?
For most families, the honest answer is: not recently enough.
The Cost of Drift
Gradual obsolescence doesn’t announce itself with a dramatic failure.
More often, it just means you’re not as protected as you think you are. You’re carrying risk you haven’t accounted for. You’re vulnerable to attack methods that your system wasn’t designed to address.
Sometimes families discover this through a near-miss: a social engineering attempt that almost succeeded, a close call that revealed gaps. Those are the lucky ones.
Sometimes they discover it through an incident that could have been prevented if the security model had been current.
The financial cost of updating a security model is usually modest compared to the original investment. The cost of not updating it, measured in exposure and potential loss, is often much higher.
Starting the Process
If this article has you questioning when your security model was last reviewed, here’s how to start:
Acknowledge the timeline. How old is your current security setup? When was it last comprehensively assessed? Be honest about the gap.
Identify the gaps you already know about. Most families, if they think about it, can identify areas where they’ve had concerns but haven’t addressed them. Start there.
Schedule a comprehensive review. This should be conducted by a security professional who understands current threats, not just someone who can check that the equipment is working.
Commit to ongoing assessment. Build regular security reviews into your calendar. Annual comprehensive assessments. Quarterly updates on threat evolution. Continuous training for staff.
Budget for evolution. Security isn’t a one-time expense. Include ongoing assessment and adaptation in your planning.
The Bottom Line
The enemy gets a vote.
The threat landscape evolves. What was adequate three years ago may be dangerously insufficient today.
Your security model was designed for the world that existed when you built it. That world has changed.
The question isn’t whether your system was good when it was installed. The question is whether it’s adequate for the threats you face now.
When was the last time you asked that question?
If you can’t remember, the answer is probably: too long ago.
Next Steps
If your security model hasn’t been comprehensively reviewed in the past two years, we offer a complimentary 30-minute consultation to discuss your current situation and identify areas that may have drifted.
We also have a downloadable Security Currency Assessment that helps you evaluate whether your protection model reflects current threat realities.
Reach out through our website or contact our team directly.
Because the threats targeting you aren’t frozen in time. Your protection shouldn’t be either.
ABOUT THE AUTHOR
John Hamilton is the founder of HK Defense Solutions, a converged security firm serving ultra-high-net-worth families, family offices, and corporate executives. He spent twelve years in U.S. Air Force special operations, where he helped build combat search-and-rescue infrastructure across active war zones.
