So why does this not happen after a major cyber-attack occurs? Worse still, why are some organisations blaming their cyber-security teams for failures without asking the most fundamental question: ...