The (somewhat) good news and bad news of corporate cyber readiness