Today, there are four absolute facts when it comes to security:
Organisations cannot prevent all attacks
Organisations systems are going to be compromised
100% security does not exist
90% of the root cause are people
The question is no longer whether or not you are going to have a breach, but how quickly you will be able to detect the adversary? If the attackers compromise your network via an insider, how would you know?
Organisations must accept that every user is a potential threat.