Security awareness in general has improved, although maybe not in the way security practitioners dream. Executives see news of high-profile data breaches and watch mainstream TV shows that demonstrate how easily attacks can be executed and, even worse, how fragile organizations can be.

At first, this might not seem like a big deal, but it has actually sustained the work and efforts that security departments in organizations all over the globe have been fighting for. Most importantly, executives are beginning to understand the need to invest in cybersecurity for reasons beyond regulatory compliance. Suddenly, staying out of the evening news is a very good return on investment (ROI).

No news is good news, then? Unfortunately, not necessarily. To protect against targeted attacks, security professionals must constantly ask themselves key questions: How long do attackers stay inside a given environment? To what extent should an organization negotiate with attackers to recover critical data? How effective can such a negotiation be?

Executives should trust the information security department when it comes to investing in technologies focused on defending against cyberthreats at the perimeter. Organizations are also starting to improve in other areas, such as visibility, data protection, security policy and user education and training.

But more work still has to be done. Business leaders must realize that a security incident will eventually occur. Someone inside the organization must believe in the boogeyman, understand the organization’s deficiencies and be ready to respond when attackers strike.