Cyber Security is a whole of business exercise. it cannot just be delegated to the IT department because that is where the tech is. Management need to realise that you can do everything right and still get breached.
That being said, getting management to understand that cyber security is a holistic process with different facets is a even harder. The delegation of responsibility to the IT department is similar to washing their hands of the problem and moving on. The CEO has to be involved all of the way through the process, asking the RIGHT questions, defining the risks and motivating his staff.
With new compliance requirements in the pipeline all over the world, CEOs, managers and owners are clearly in the firing line.
Against a persistent and insidious enemy they definitely have a fight on their hands. Developing better tactics is paramount in the WAR.