Assume a breach will happen.
You should plan for what to do when it happens, but work as hard as you can to prevent it. This has been the failing of a number of high-profile breaches. The example given was the Ashley Madison hack; in this case, the highly sensitive information was not stored safely, was inadequately protected, and too many people had access to the backend of the system.
When the hack happened, they were caught completely flat-footed and unable to respond quickly. Their practice of never deleting stale personal information—including that of users who had left the system—compounded the problem.
There are low-cost, low-impact measures that could have been taken that would have prevented the data from getting leaked.
Via Apptimate, Ken Feltman