A "solution" to cyber security (there isn't one.)

I keep hearing a few things in the chatter about cyber security that make me cringe. People claiming they have the "solution" to cyber security and the "we already got hit so we don't have to worry" fallacy.
You can't fix cyber security like solving a puzzle. There are no magic set of pieces that when put together make a solid picture that fixes everything. And if you have been hit already, expect it again, and again until you either go out of business. You got attacked and now they know they can attack you. If you put all the right pieces in place you will still be compromised again and you will start over.
Cyber security is not a target but an ever evolving battle where the opposition is always and rapidly evolving and so must your defense. Your defense must be tailored to your network, information, processes and people. It has to start with knowing what you are trying to protect and evolving your understanding of what you are trying to protect. It doesn't matter what else you do, if you don't know what you are trying to protect (and everything is not an answer) you won't know what controls you need to put in place to protect it.
And there is no way to make your network (corporate network here, home is another matter) 100% secure and you have to face the fact that either you will be or already have been compromised. You just may not know it yet.
The consensus is that all companies are or have been compromised and the sad fact is most don't know it. The average compromise to discovery is months, 6 to 9 months. And your IT Security is probably not who will find it. You still need them but they just don't have the tools and resources to find the threats you are faced with.
It is not just your problem, everyone including places like DHS, the FBI and every other 3 letter acronym are having the same problem so don't beat yourself up for it. You can't protect everything. You still have to do the normal firewall, AV, IDS things to keep the script kiddies out but for APT actors you have to decide what you cannot afford to lose and prioritize your efforts. Split the really must keep stuff off from the rest of your network and put robust controls in place with more layers of firewalls, VPN only access, encrypt the heck out of it and surround it with fakes that will keep the attackers busy.
And if we learned anything from Sony Pictures it is this, make a recovery plan for the possibility that you lose everything. What will you be doing when email doesn't work. How will you communicate with staff and far flung parts of your organization. Do you have backups, off-site backups and a fall-back plan to do things like pay your employees, what won't work if non of your computers do.
And then keep updating your plan, practice what you will do when attacked and keep doing the motherhood procedures but don't think any of this will keep you 100% safe, be prepared.