Most organisations would say they are taking cyber risk seriously. They have invested in tools, built dashboards, appointed committees and implemented policies. On paper, it often looks robust. Yet ...