This is absolutely correct! Modern technical security practice preaches defense-in-depth. Over a long enough period of time, you WILL be compromised. It’s much more effective to plan for it and mitigate the damage than it is to attempt perfect security.
The trick is to make sure you have good network segmentation, don’t allow apps/users more access than they need, and have reliable monitoring and anomaly detection in place so you can respond rapidly to breaches that do occur.
The only problem with that take is that people will hear it and remember “don’t attempt security because it’s hopeless”. It’s the same problem that comes from people discussing premature optimization and using it as a reason to skip simple and obvious performance improvements.
Nuance has a way of being lost in advice like that.
The trick is to make sure you have good network segmentation, don’t allow apps/users more access than they need, and have reliable monitoring and anomaly detection in place so you can respond rapidly to breaches that do occur.