Exactly this. we try to prevent cyberattacks as much as we can, but at a certain point, they’re impossible to perfectly defend against without also totally locking down our users and making it impossible for them to do their jobs. so then the game becomes one of containing the amount of damage an attack can do.

Security is restriction. our job is to balance our users’ ability to perform their jobs with acceptable levels of risk.

As an IT guy, I’d love to give software devs full admin rights to their computer to troubleshoot and install anything as they see fit, it would save me a lot of time out of my day. But I can’t trust everyone in the organization not to click suspicious links or open obvious phishing emails that invite ransomware into the organization that can sink a company overnight.