An organization's security shouldn't be solely focused on breach prevention and placing the blame on someone for clicking on an email. Given enough time, a motivated, sophisticated adversary _will_ get in. Rather, the focus should move to detection and response: knowing where you've been pwned and knowing what to do about it