Six years ago nobody accessed e-mail via a tablet. Nobody talked about “big data.” Companies didn’t have private cloud programs. Most people assumed that security technology companies such as RSA could not be breached. Almost nobody had heard of Anonymous or LulzSec, and didn’t think that jihad might be carried out by cyber-fighters. Edward Snowden was an anonymous contractor working on computer security for the CIA. And national newspapers didn’t carry front-page stories about governments lobbing charges and countercharges against each other about the use of cyber-espionage.

The cybersecurity context that companies operate in today is extraordinarily dynamic. The digitization of business processes continues to accelerate, a dizzying array of new technologies is available in the marketplace, and new security products emerge to acclaim but sometimes turn out to be less effective than promised. Attackers proliferate, experiment with new techniques, and become more audacious, while hundreds of government agencies in dozens of jurisdictions shift policies, roll out regulations, and invest in all manner of defensive and offensive cybersecurity capabilities.

Amid this confusing cacophony of activity, companies and other institutions must make decisions that will affect them 5 and even 10 years in the future. They must invest in research and development (R&D) projects so that they can reap benefits later. Technology they implement and applications ...