I have watched this happen in more boardrooms than I care to count. The quarterly report goes up, the dashboard is a wall of green, and you can feel the room relax. Cybersecurity gets filed under problem solved, the budget conversation moves on to something more exciting, and the security team walks out having technically won the meeting and materially lost it.
Here is what nobody says out loud in that room: the dashboard was green because we asked it a question it was designed to answer. Compliance frameworks measure whether a control exists, whether it was documented, and whether it was tested on schedule. They are genuinely good at that. What they do not measure — what they were never built to measure — is whether that control would hold against somebody actively trying to break it on a Tuesday afternoon in the middle of a change freeze.
Those are two different questions. We have grown comfortable treating the answer to the first as though it settles the second, and the gap between them is where nearly every breach I have worked actually lives.
The regulators have noticed, too. And the thing that should be keeping executives up at night is not the fine.