Security leaders describe a remarkably consistent pattern when asked what finally got their executives engaged in cybersecurity. The catalyst is rarely a breach or a near-miss. In most cases it’s a tabletop exercise, a simulated incident in which leadership sits in a room and confronts, in real time, how an attack would unfold across their business. In our conversations with clients, tabletop exercises come up repeatedly as a turning point for executive engagement more often than almost any other single intervention. In many organizations, the threshold for attention is a rehearsal of a disaster rather than the risk of one.

Security programs stall for a leadership reason, and the cost rarely surfaces until it’s already compounding.

The disconnect and what it actually costs

More than four in ten organizations in our portfolio — 43%, drawn from Arc and Essential client signals as of February 2, 2026 — report having no security owner at the executive level, a figure that varies across industries and organization size. Without a direct line to decision-makers, security teams spend significant energy justifying the need for action rather than executing it. Projects defer, budgets erode, and the people who could accelerate a critical initiative aren’t in the room when it matters.

The security leaders we work with describe the dynamic in similar terms: executives aren’t blocked by bad intentions, they’re blocked by incomplete information. Executives often believe they’re making informed tradeoffs when they accept cyber risk, framing it as a calculated decision. The calculation is usually missing the variables that matter most: the realistic cost of a two-week operational shutdown, the recovery timeline if backups haven’t been tested, the downstream effect on customer contracts and regulatory standing. Accepting risk without those numbers at hand is a decision made with considerable gaps in visibility.

Why the tabletop works when everything else doesn’t

Tabletop exercises shift executive behavior because they make risk operational rather than abstract. A line item in a CISO’s quarterly report is easy to defer. A room full of executives who have to answer, in the moment, who authorizes the ransom decision, who owns customer communication, and who calls the board is considerably harder to defer. The exercise doesn’t teach executives to care about cybersecurity; it shows them what a cyber incident means for the business they already care about.

Tabletops are reactive by design, though, and an organization that waits for a simulation to achieve executive alignment has already accepted a version of the dysfunction it’s trying to fix. The goal is ongoing sponsorship that doesn’t require a simulated catastrophe to sustain.

What executive sponsorship actually looks like

Executive sponsorship or championship gets used loosely, but its practical meaning is narrower than most organizations realize. It doesn’t require the CEO to become a cybersecurity expert. Nor does it require a new title, a new reporting line, or a new headcount; are all optional. What it requires is one person at sufficient organizational altitude who is willing to say, publicly and consistently, that cybersecurity supports the mission of the business.

This pattern works in practice. A COO who starts asking about incident response timelines in quarterly reviews changes what gets prioritized. A CFO who treats cyber risk scenarios the way she treats other financial exposures (with modeled ranges and explicit risk tolerance thresholds) changes what gets funded. A board member who asks, at every meeting, whether the security budget is sized to the actual risk changes what gets surfaced. None of these people are security professionals. What they have is sufficient authority to change how security decisions get made.

When that kind of sponsorship is present, the operational dynamics shift. Security projects that were perpetually deferred get timelines. Budget requests that had been treated as a negotiating position get evaluated as a risk management question. CISOs spend less time building the case for why security matters and more time doing security.

The ask for executives reading this

If your security team is constantly fighting for resources and access, the problem is probably not their ability to make the case. More likely, the case is being heard by people who don’t have the authority to act on it, or isn’t reaching anyone who does. That’s a structural issue, and structural issues don’t get resolved by better slide decks.

Schedule a tabletop exercise if you haven’t run one recently. They work for a specific reason: they give you first-hand information about what your organization is actually capable of under pressure. Treat it as a starting point rather than a destination. Use what you learn to ask different questions in your next operational review. Push for quantified risk scenarios rather than heat maps. Find out whether your security initiatives have executive advocates or just executive tolerance.

The security programs that hold up under real pressure tend to share one characteristic: somewhere in the organization, someone with genuine authority decided that security was tied to the mission and behaved accordingly. Finding or becoming that person is a more tractable problem than most executive teams realize, and it’s where the leverage actually is.