There is a comfortable story circulating through corporate security departments these days. It goes something like this: breaches are inevitable. Attackers are too sophisticated. Your defenses will eventually fail. You might as well focus on detection and response rather than prevention.
This trend is being sold as inevitable. It deserves more skepticism than it is getting.
The narrative has some truth embedded in it, which makes it particularly seductive. Yes, determined adversaries with sufficient resources can breach most networks. Yes, zero-day vulnerabilities exist. Yes, human error will always be part of the equation. But accepting inevitability as doctrine has become a convenient excuse for accepting mediocrity.
Consider what we know from recent incidents affecting institutions like Canvas and GitHub. Breaches happen. But the reasons they happen often trace back to remediable failures: inadequate access controls, insufficient monitoring, delayed patching, and weak separation of critical systems. These are not acts of god. They are organizational choices, usually made under the pressure of competing priorities and constrained budgets.
The "inevitable breach" framing shifts responsibility away from where it belongs. It reframes the question from "how do we prevent this?" to "how do we survive this?" That second question matters. Incident response and resilience are critical. But they should not become the primary strategy for an entire security posture.
What concerns me most is how this narrative affects resource allocation. When leadership believes breaches are inevitable, they become less willing to fund preventive measures. Why invest heavily in threat hunting, security architecture review, or insider risk programs if the outcome is predetermined? Better to spend just enough on detection and hope your insurance covers the rest.
This is backwards.
We also see this playing out in how organizations treat their security culture. If breaches are inevitable, why invest in employee training? Why cultivate a culture where people think twice before clicking suspicious links or reusing passwords? If failure is inevitable, accountability becomes diffuse. Everyone shares blame equally, which means no one bears responsibility for improvement.
The irony is that the organizations which have managed to maintain strong security records do so precisely because they reject inevitability. They treat each breach elsewhere as a case study. They invest in the unglamorous work of hygiene: patching, monitoring, access reviews, and incident response testing. They know that while perfect security is impossible, the gap between negligent and diligent is vast.
Recent reporting on breach root causes has highlighted something telling: processes and culture matter more than any single technology. That finding contradicts the inevitability narrative. It suggests that how organizations operate, not just what tools they deploy, determines outcomes. That is a message of agency, not destiny.
There is also a market incentive buried here worth examining. The "inevitable breach" narrative serves vendors well. If breaches are inevitable, customers will keep buying detection tools, response platforms, and insurance products. Prevention-focused strategies might reduce the total market opportunity. Not all vendors consciously promote this framing, but the economics reward those who do.
I am not arguing that organizations should delude themselves into thinking perfect security is achievable. That way lies complacency of a different kind. Nor am I dismissing the real sophistication of modern threats. But there is space between "impossible to breach" and "will definitely be breached."
That space is where security actually happens.
The question organizations should ask themselves is not whether they will be breached, but whether they are doing everything reasonably in their power to make breaches expensive, difficult, and rare. That is not inevitable failure. That is professional responsibility.