The annual report from PWC (direct link to the full .pdf file) on the Global State of Information Security makes for interesting reading. There are some insightful facts and figures being reported and plenty of analysis on these reported elsewhere, including on the Computing website here.
One statement from the report that particularly caught my eye is this:
Chief Information Security Officers (CISOs) are more likely than any other executives on the senior management team to perceive a significant gap between security policy alignment with business objectives and security spending alignment with business objectives…There’s a (more) likely explanation of this perception gap–and a crucially important one: CISOs don’t see eye-to-eye with the rest of the executive suite on what single business issue is principally driving information security spending…
In other words, there seems to be disagreement at the top over what the priorities are. Personally, I think that being in the leadership role means being able to describe and gain a following for the security policies you believe need to be followed. If the executive support is not forthcoming then you’re probably not doing a very good job.