Over the years I’ve said something like that second paragraph to the CISO or security director only to receive a blank stare or admonition not to say anything like that to an executive team. It’s time for security folks to admit the truth.

My viewpoint is one I learned over the years from reading Christopher Hoff’s blog, Rational Survivability.