You've got firewalls. You've got endpoint protection. You've probably got a compliance framework you can wave at auditors and a patch cadence that felt reasonable the last time you benchmarked it. But here's the question worth sitting with: if the threat environment your security program is built around doesn't exist anymore, would your program know?