There are two types of companies: those that have discovered security breaches and those that don't yet know they've been breached.