“An absence of evidence is not evidence of absence” is a longstanding term in medicine. The same applies to infosec. First, check that your controls are appropriate for the threats you’re facing, then test the effectiveness of your controls…:
[…] Anti-malware was an area that the company hadn’t invested much time or energy on, so O’Connor and his team investigated what the business had in place up until that point; a legacy anti-malware solution that he preferred not to name. He said that when this product was tested, there wasn’t a lot of information being sent back from it nor alerts, which could have indicated that the company was already protected.
However, they believed this may have been a false-positive picture, and so the team carried out some benchmarking with the existing anti-malware client. He said:
“We segregated some devices and tested them, and it performed abysmally.”
It became clear that the luxury car brand had to search for a new anti-malware product.