Are Controls Really Necessary?

The incessant successfully orchestrated cyberattacks on organizations and individuals alike seem to suggest that controls are not working or that the malicious actors are winning this asymmetric warfare but is this really the case? What is responsible for the widespread perception that controls might be failing?

I recently conducted a research on the effectiveness of security controls and who is winning the cybersecurity warfare? From my findings, It is safe to conclude that security controls are potent at stopping attacks when deployed appropriately i.e. in the right way and at the right time. It was established that the fact that some attacks slip through the cracks is not enough justification to completely abandon security controls. Would one stop flying because the individual was involved in an air mishap? Would one stop driving or riding in a car because of a road incident? Would one stop eating because of one incident of food poisoning?

Another very interesting point that my research uncovered is the fact that most organizations keep tight lips about their security architecture and this perhaps explains the reason why organizations do not publicly publish the number of attacks that are foiled by the controls they have implemented and the fact that only news about successful attacks go viral and this tends to give the illusion that security controls are not working or that the malicious actors are winning the cybersecurity warfare. Industry standards and regulatory compliance are very effective, and they must continue to be revised as attacks evolve and governance and enforcement must be strict to ensure compliance by relevant stakeholders.

?