Re: Selling insurance against breakins seems insane
> worthless (like keeping current on patches)
Whilst some outdated security practices are worthless - like password complexity tests plus repeated password changes - keeping current on patches is definitely not.
If your OS or applications have known holes, they *are* going to get exploited sooner or later.
> One employee getting phished can let an attacker inside and all your perimeter defenses are worthless
That's really just saying "perimeter defenses are worthless", which is indeed true.
See Google's "BeyondCorp" paper for a better way of doing it. Basically: don't trust anything inside the network any more than you trust the outside. All apps must validate both the device and the end user (or sit behind a proxy which does that). And all devices must prove they have been locked down and are fully patched.