Across industries, a familiar pattern plays out in security programs: a CISO spends months trying to get leadership attention for a risk that seems obvious from where they sit, budgets get trimmed, and initiatives quietly stall. Then the organization runs a tabletop exercise—a simulated cyber incident that puts executives in the room and forces them to make real decisions under pressure—and suddenly everyone is paying attention.

The pattern is worth taking seriously, because it reveals something about how executive engagement in cybersecurity actually tends to work—and how rarely it develops before a simulated crisis forces the issue.

When leadership engages late, the program suffers

The CISO role is one of the most structurally difficult in the C-suite, because security leaders are asked to protect the organization from threats that are largely invisible to the people who control the budget, set priorities, and have the authority to mandate change. When that visibility gap persists, it shows up in predictable ways: understaffed security teams, controls that get approved in principle but never fully implemented, and risk decisions made by people who don’t have access to the data the security team sees every day.

The data bears this out. According to Resilience’s own portfolio data from February 2026, more than two in five clients—43%—do not have a security owner at the executive level. The practical consequence is exactly what you’d expect: projects stalled, budgets rejected, critical policy decisions postponed indefinitely because the security team lacks the organizational authority or access to the people who could actually move things forward.

The tools exist, the controls are well-documented, and most organizations have at least a working sense of what needs to be done. The variable that explains the persistent gap between knowing and doing is organizational authority—specifically, who has it, and whether they’re using it to drive security outcomes.

The “calculated risk” problem

There’s a pattern worth naming directly: executives who believe they’re making a deliberate, informed tradeoff when they deprioritize a security investment are often operating with significant information gaps. The risk feels manageable because the consequences are still hypothetical. The CISO’s recommendation feels like one of many competing priorities, not a decision with a specific financial exposure attached to it.

This is meaningfully different from deliberate risk acceptance—the kind that happens when leadership reviews a quantified risk assessment, understands the expected loss range, and consciously decides to accept or transfer the risk. In the “calculated risk” version, the decision is made without that information, so what feels like a considered judgment is really just an uninformed one.

The tabletop exercise breaks this pattern by making the consequences concrete. When executives have to decide, in real time, whether to authorize a ransom payment—who has the authority to sign off, how to communicate with the board, whether the incident response plan accounts for what they’re actually experiencing—the hypothetical becomes operational. The gap between “we have a plan” and “we have a plan that works” becomes visible.

A live incident would be a worse moment to discover the same gap—but a tabletop exercise is often the first time executives find themselves genuinely equipped to close it.

What executive sponsorship actually means

Executive sponsorship for a security program has nothing to do with titles or technical fluency—the CEO doesn’t need to understand threat actor techniques, and the board doesn’t need to approve every control decision. What’s required is something simpler and more durable: an executive who is willing to say, publicly and consistently, that cybersecurity supports the organization’s mission, and who acts on that belief when resource decisions are made.

That framing matters because it’s accessible. A conversation at a recent security conference captured it clearly: the turning point for one organization wasn’t a new platform or a larger budget. It was a CFO who started requesting quarterly briefings from the security team—not because a regulation required it, but because she’d decided that understanding cyber risk was part of her job. That shift in posture, one person in a position of authority choosing to be informed, changed how the security program operated.

The champion can be the CFO, the COO, a board member with a risk mandate, or a business unit leader whose operations depend on the security team—the role doesn’t belong to the CISO or CIO by default. What defines a champion is a willingness to treat security as a strategic function rather than an IT cost center.

The ask for executive readers

If you’re a senior leader who has delegated cybersecurity entirely to your security or technology team, that’s worth examining—not because you’re responsible for the technical decisions, but because the decisions that most affect your security program aren’t technical in the first place. They’re organizational: which initiatives get funded, whether the CISO has a direct line to the board, how quickly the organization can make decisions under pressure.

A tabletop exercise is one of the most effective tools for closing the gap between what your team can describe on paper and what your organization can actually execute under pressure. More than a test of your security team, it’s a diagnostic for your organization’s decision-making—a way to see, before a real incident, where the authority structures that shape security outcomes need to change.n identification, mitigation, and effective insurance transfer. We’re going to talk with our Chief Underwriting Officer, Maria Long, and our Global Director of Insurance Product, Michelle Worl. We’re going to get their deep underwriting perspective on AI, explore insights into present and emerging risks, and give an outlook on coverage expectations and potential gaps. We look forward to seeing you then. Thank you all.