Companies can protect their critical assets appropriately, they can ensure that cybersecurity is embedded in their culture and systems, and they can step up their defense mechanisms. They can take all the actions we have outlined up to now. But they will still be attacked. Cyber-attacks are becoming increasingly sophisticated, more frequent, and their consequences more dire. When determined adversaries set their mind to finding a way inside, every organization with valuable digitized information is at risk of having its critical assets compromised.

Breaches unsurprisingly affect shareholder confidence as investors get spooked by the transgression and often by the slow response of the company to deal with it or even acknowledge it. This impact will be disproportionately heavy for companies trying to exploit new digital business models. CISOs and, increasingly, CEOs are realizing that more business value can be destroyed as the result of a poor response to the breach than by the breach itself. Knowing how to respond to a cyber-attack is not a question of having good instincts. It needs to be learned and embedded. Achieving this level of expertise requires developing a robust incident response plan and then—crucially—continuously testing and challenging it through simulations.

Unfortunately, most organizations are not prepared. They are reactive, not proactive. Despite the recognition that breaches will continue ...