It is the end of a long day of board meetings, and the company’s chief information officer is making a presentation, at the board’s request, about the major technological investments the company is considering. Halfway through the deck, the CIO mentions ransomware, then says, “Criminals are raking in hundreds of millions through these scams…” A board member stops him. “That’s the first I’ve heard of this term. Are they actually holding people against their will in our IT department? Are they taking the general ledger hostage? How serious a threat is this?” “It’s not that kind of ransom,” says the CIO. “But it’s pretty serious. An intruder gains access through a phishing scheme, uses someone’s password to breach the firewall, locks up the operating system so legitimate users can’t gain access, and then demands payment to remove the malware.” The board member doesn’t quite follow the jargon, but lets the CIO move on to the next topic: the company’s plan to mitigate this risk, in part by tracking the online behavior of all visitors to the company’s cloud-based sites. Much of that discussion is lost on the board members as well.