In my experience, that would be a company that spends hours in security committee meetings and then fails to react appropriately in an actual emergency.