I do not read what you wrote as trying to start an argument. No worries at all.

I think I am the one who is having difficulty describing my point. Let me do it another way. If we take an example where a company has not done anything to date, and so they begin today to figure out what needs to be done. Next week they start fixing things. They know it will take 6 months to do so. If in 1 month they get hacked, and the result of the hacking is that they end up closing their doors permanently, then my point is it was too late.

That does not mean we shouldn't try. On the contrary, I am trying to convey the point that even starting now may be too late, but of course we can hope it isn't too late. I fear in some cases, we are so far past where we need to be, that some companies simply can't afford what it is going to take to fix things.

I did not intend to convey an opinion that it is too late to start. I also do not mean to convey that it is too late after a breach has occurred, odds are everyone has had a breach anyhow. i am simply trying to convey that regardless of when we start, in hindsight we may find it was too late, that we should have started earlier.

Now, if this isn't clear enough, I am going to just give up. I know what I want to say, but me thinks I am failing!

Next, you expressed exactly what I was going to attempt to say in regards to Steve's comment, but I gave up as I did not want to sound critical of his points. I agree with Steve that we should try, just that there are costs whether we see them or not. You said it better than I was going to.