VISIBILITY

That's right. Visibility is the most important word in information security.

You cannot manage risk of what you don't know.You cannot defend what you don't know.

You cannot react against what you don't know.

I can make this list go on forever, but you've got the point. I could quote Sun Tzu, Galileo, Machiavelli and many others, but I don't think we need their insights to see such a clear thing.

Before putting more effort on additional hardening, ask yourself how much visibility you have into your organization, environment, network, apps. Preventing efforts are not always the top priority.