Since the Target breach of 2013, there have been a relentless stream of highly publicized cyber-attacks against and vulnerabilities in systems, applications, organizations, processes, and even people. Many times, the victim organizations release statements designed to make it appear as if nothing could have stopped the attacks from happening. The combination of these attacks and the claims that there was no possible defense for those attacks make it easy for organizations to see the situation as hopeless, especially for the nontechnical executive community. Many of the vulnerabilities and methods for exploiting them are highly technical in nature and the attackers' relative skill makes it seem as if organizations are facing impossible odds. However, most breaches or attacks, in retrospect, yield a change in process or program that could've prevented the breach entirely, or limited the damage caused by the attack. Many of the claims that defense is impossible are designed to escape liability on the part of the victim organization; and we, as people and a business community, have faced similar odds before and found a way to prevail.