If the end game is preventing something bad from happening, companies typically waste time and money on futile attempts to build an impenetrable wall of systems. Even if it were possible to build a wall that’s 100% secure, it wouldn’t begin to protect the rapidly growing amount of sensitive data that flows outside the firewall through devices and systems beyond the company’s direct control.

It’s far more important to focus on two things: identifying and protecting the company’s strategically important cyber assets and figuring out in advance how to mitigate damage when attacks occur.

The above is from the article “Good Cybsersecurity Doesn’t Try To Prevent Every Attack