Part of my background was doing and selling security engagements. Up until a few years ago, it was difficult to get senior leaders to wrap their head around security being anything but a cost center - even though it was always framed as "savings". That has changed in the past year alone. CiSO's are still hounded daily about security products which will "save money / prevent theft" - but the risk to the business is now clear to leaders without security background. I still believe the adage [paraphrased] "People don't pay for the prevention, they pay for the cure"