Third, design technologies and processes that don’t just plan for high availability, but also for recovery and continuity. Lastly, ensure that these recovery and continuity plans are tested often enough to prove that they work.”

I saw a few tweets about this article tongue in cheek saying "time to update your threat model" - but how many actually do that? Who is at work this week creating a document that illustrates how a data breach of their external council could lead to their own data loss event? I'd guess it is a very small number of folks. I'm making the cas

3. Boards must focus on risk, reputation, and business continuity.