Land Rover production. On pause.

For five weeks, Jaguar Land Rover's production stopped. Completely.

August 2025. Factories in the UK, Slovakia, and Brazil went dark. Over 5,000 businesses across their global supply chain sat idle. The final bill: £1.9 billion.

Attackers exploited vulnerabilities in SAP NetWeaver, JLR's third-party supplier software.

Here's the part that stings: warnings about NetWeaver's vulnerability had already been issued. Security teams were told to patch. The risk was known, documented, sitting in someone's backlog.

JLR didn't patch in time.

This is the breach everyone saw coming.

Zero-days are one thing. Nobody can predict those. But this wasn't a zero-day. This was a known vulnerability with a known fix that didn't get implemented before attackers showed up.

The most expensive cyber incident in UK history happened because a patch didn't make it through the queue.

The real failure wasn't technical:

Every organization has a list of known risks. Unpatched systems. Legacy software that should have been replaced last year. Vendor dependencies that need review. Third-party integrations everyone knows are a problem.

The list gets prioritized. Then reprioritized. Discussed in meetings. Pushed to next quarter.

And while your organization debates timelines, attackers don't wait.

Why known risks don't get fixed:

It's rarely because security teams don't understand the threat. It's because:

Risk mitigation disrupts operations. Patching means downtime. Downtime means production delays. Production teams push back hard.

The risk feels abstract until it isn't. "We've been running this for years without incident" becomes the reason to delay another month.

Nobody owns the actual decision. Security identifies the risk. IT manages the systems. Operations controls the schedule. Everyone assumes someone else will handle it.

Maybe you've been in this exact position. You know what needs to be done. You've documented the risk. You've explained it in meetings.

But you don't have the authority to make it happen. Or the credibility to override operational pushback. Or the framework to communicate risk in terms leadership actually prioritizes.

JLR knew NetWeaver was vulnerable. They knew it needed patching. They knew what could happen.

Five weeks of stopped production later, they learned the difference between knowing about risk and actually managing it.

CRISC teaches what happens between identification and mitigation:

Most organizations are decent at identifying risk. The breakdown happens in what comes next.

How do you build risk response processes that don't stall in committee? How do you communicate risk so business leaders actually prioritize it? How do you create accountability when mitigation requires three different teams to coordinate? How do you monitor continuously instead of checking once and assuming it's handled?

These are the skills that separate security professionals who identify problems from risk leaders who actually solve them. CRISC focuses on exactly this: the operational mechanics of getting risk addressed, not just documented.

And professionally? CRISC gives you the credibility and framework to make these conversations happen. Organizations need people who can bridge the gap between technical risk and business decisions.

Our next CRISC Bootcamp runs June 1-3, 2026. Three days with Kelly Handerhan covering everything ISACA tests. 146 topics, 695 flashcards, 850 knowledge assessments, 500+ practice questions, 24 mind maps, and 4 implementation tools for real-world risk work.

Learn more and enroll

P.S. We don't offer a CRISC MasterClass yet.

Stay secure,
The DestCert Team