Ransomware has the potential to cause irreversible business damage, so CISOs should consider not only protection (the “if” scenario), but also response and recovery (the “when” scenario).