Leaving this definition process up to those back room folks who run the security hardware and software is likely not a good idea. Business leaders need to be involved in this process from the start. The best possible solution, tailored to the business need (client demand, etc.) can only come from a business leader. Security analysts hold the keys, and had better be good Master Sergeants who can nail down the needs when appropriate, but they must also be able to develop a plan when directed to a target by the Generals.
"Done" is not something that can be achieved in the ever changing world of IT Security. Security is a process, and should remain on the radar with visits to the SOPs that guide it on a regular basis. Much like any SLA or contract they should have expiry dates that require re-validation and repositioning. The security threats of today are nothing compared to the threats of tomorrow, that much we all know, and we need to bake that into our guidelines from day one.
Security needs to be guided by business leaders, implemented by IT, and revisited by all parties regularly. The best possible solution is where security is just another fully implemented tool utilized by all levels of the company.