Having a risk based approach to managing cybersecurity is critical. All data and information systems can not be protected at the same level. There just are not enough resources to go around. An attacker only has to get lucky
once. The defenders have to be on guard all the time and never miss a step. You will never 100%. There are always gaps. Attackers figure out new techniques. It takes time for everyone to learn what those new techniques are and catch up. There are some protection techniques that are just going to be way out of
budget. The organization has to figure out how much risk is acceptable which is a hard thing to do.
The first thing is to understand the value. Once you understand the value and have categorized your data you have to develop a plan to protect that data and (or) systems that corresponds to the value of the data and (or) systems.
Most organizations are not starting from zero. They usually have some security measures in place. This is why it is helpful to conduct a risk assessment and understand where their gaps are. Risk assessments go through industry accepted security controls and determine if their are any gaps your organization has from the industry best practices. It is then matched up to the threats your organization is facing and the data categorizations. This puts the picture more in balance. Yes, you may have gaps on something of low value, but maybe that is ok for your organization. Resources have to be balanced between the needs to the business and the need for security.
The best way to implement security is in a layered defense in depth approach. An attacker only has to get lucky once. You have to defend all the time. If you assume no one will ever get passed your perimeter firewall, you will not be prepared for the day an attacker does get by yo
ur perimeter firewall. You need to think about what happens if they do get through your perimeter. What happens if they get through your next layer and your next layer? Thinking in terms of layered security makes for a better overall approach.