The C-Suite really only like spending on offensive NOT defensive Cyber Security....
I was recently attending a cyber security conference where the speaker of (30+) years of experience said that:
"The C-Suite really only like spending on offensive NOT defensive cyber security...."
Is this your experience, also?