But then you look at what's actually happening three levels down. The marketing team is sharing credentials to social media accounts. Sales is pushing back on MFA because it adds seconds to their login process. Developers are storing API keys in public repositories because it's faster than the approved method. Remote employees are working from unsecured networks and don't think twice about it.
The executive commitment is there. The company-wide behavior isn't. And that gap is where breaches happen.
This is the challenge that keeps security leaders up at night. You have the mandate from above, but translating that into thousands of daily decisions made by people who have completely different priorities is a different game entirely.