There are about 9 different categories of companies when they are categorized in two dimensions. The dimensions that I have chosen are Security Preparedness along the x-axis and # of Security Breaches along the y-axis.

Lucky - These companies have a low security preparedness, but they have been lucky to have low number of breaches. There is no guarantee that they will continue to stay lucky. It is hard to implement security in such companies because the management has not had a bitter experience of breaches. These are ignorant blissful companies. One big bad incident could push them to the Aware category.

Aware - These companies too have low security preparedness but they have had high number of breaches. Due to the bitter experience of high number of breaches, the management of these companies does understand the importance of security. It is much easier to implement security in "Aware" companies unlike the "Lucky" companies.

Unlucky - I meet unlucky people all the time, no pun intended. These companies have high level of security preparedness, despite that they have had high number of breaches. These are the companies that should spend time doing the post-mortem of the breaches and applying the learning that arises out of the post-mortem to enhance their security posture.

Desirable - These are the companies that have successfully deployed security to minimize the number of breaches. Which company does not want to be here? The goal for the companies in other categories is to consciously move to this category.

Of-course there are other 5 average categories that I did not address, being average does not get much publicity either!