Thanks for the article, and the upcoming series commitment.
I like your identification of a four-phase process. Context will of course vary, but it is important that these phases are evaluated within a context of an organizational security strategy and the achievement of well-defined objectives. Considering a given problem, solution, test, evaluate sequence within the framework of a pre-defined security strategy reduces the tendency to skew each of those stages towards a favorable view of an identified outcome. Problem statements can otherwise be written with a given solution in mind rather than a given objective. Metrics chosen that support a given technology rather than organizational progress towards a performance objective.
You obviously have more to write on the subject, and I look forward to the reading.