“You knew, and you could have acted. Why didn’t you?” 
This is the question you do not want to be asked. And increasingly, it’s the question leaders are forced to answer after an incident.
For years, many executive teams and boards have treated a large vulnerability backlog as an uncomfortable but tolerable fact of life: “we’ve accepted the risk.” If you’ve ever seen a report showing