"And if the CEO goes 'I don't know' then he needs to take some action on that," says Prow.
"This should be stuff you know.
"You should know: Yes, these are the systems we run; this is how bad it would be if they got compromised; this is how much it would cost the business if we were taken off-line for a week; and this is how we will respond to those things."
The cybercrime statistics are going through the roof because the amount of data being stored and processed makes it a more "juicy" and valuable target, Prow says.
And while five years ago cyber criminals were after credit card or banking data, now it's getting personal.
Prow points to a large attack on a United States store card operator where the system wasn't taken off-line. Instead, the hackers analysed the data for personal and shopping trend information before on-selling it as competitive intelligence, says Prow.
"It was a perfect example of the crims now starting to easily monetise hacked data."
Add that to a workplace where staff are toting laptops and phones in and out of the office and data is stored not just on the firm's own databases but also on cloud-based services.
"It's suddenly becoming a very unmanageable situation."
All the bad news on cybercrime comes out of the States, but it's not because New Zealand businesses are isolated from the internet's bad guys.
Unlike their US counterparts, New Zealand companies don't have to reveal whether their IT systems have been compromised, "which we absolutely bloody should do", says Prow.
While the costs can mount up under a mandatory breach notification system - fixing the issue is often the tip of the iceberg once notification, brand damage and reparation is calculated - it does mean companies take their data security seriously, he argues.
Prow says his firm, which provides cyber security consultancy services as well as turn-key website protection systems, tends to see New Zealand organisations fall into two distinct groups when it comes to IT security.
We've got one level of customers who are on the international scale, they're selling to a global customer base and they therefore take security as seriously as their global customer base and they will do everything they can to protect the data, to monitor attacks, to respond to them fast.Then we get the other end of the scale, which is New Zealand companies operating in the New Zealand market but they don't really have to get it right and no one really chases them if they get it wrong - and in fact half the time nobody ever finds out and that's the bit that I guess we see. In our opinion there's a bunch of companies and their CEOs that have kind of been a little remiss about this because they're not actually being beaten up over it. Mandatory breach notification is one way of making it something you can't hide from.
Patching up problems and pre-empting cyber-strikes has been good business for Aura Information Security. The company, which has offices in New Zealand and Australia, this year set up shop in the United States to help take its Red Shield cyber security software to the market. "It is a very globally transplantable service," says Prow.
"It doesn't matter where you are in the world, you tend to have very similar IT infrastructure and phones and websites."
Aura has boosted its board with governance leadership from Mark Canepa, a US executive with experience running everything from start-ups to listed tech firms, who was involved in local technology success story Greenbutton, and Xero's local managing director Victoria Crone.
The catalyst for the external board appointments was to bring in expertise to take the company to the next level, says Prow.
That includes pumping external investment money into the development of Red Shield, which has so far been funded from business profits.
The decision had to be made to either remain "an awesome Kiwi business with some Aussie customers or we go hard".
Prow says the Red Shield technology is unique so on that basis there was only one option: go hard.
