For most individuals and organizations, it isn’t a matter of if, but when they will be compromised.
Attackers come up with clever new ways to breach security measures every day. Attackers also catalog attack surface at a broad scale and will make opportunistic attacks whenever they are able to. The reality of today’s world is that you have minutes after a PoC for a RCE vulnerability is disclosed to patch your Internet-facing systems that are impacted by the vulnerability. Your public assets have been scanned and cataloged multiple times over by dozens or even hundreds of malicious entities that are just waiting for the chance.
Another reality is that no matter how much awareness training you do, someone is eventually going to break protocols or be successfully duped by a well-written and thought out phishing attack. The attacker’s job is to breach your security, and naturally some people doing this kind of work will be excellent at it.
With this reality in mind, a logical approach is to accept reality and protect yourself in a manner that limits impact if a system is compromised. Defense in depth, homefield advantage, the principle of least privilege, attack surface reduction, actually reviewing security alerts, and other broad security concepts can be applied so that WHEN an organization is breached, the effects are limited, and the attackers are removed swiftly.