Good question, but one I fear has no answer. The terrorist attacks on 9/11 resulted in numerous companies going out of business due to poor disaster planning. Companies still do not grasp the risk. Security is basically the same thing. Unless the people at the top can be made to understand the risk, they aren't going to do anything about it. I don't believe it is possible to make most of the people in charge understand. Most corporate leaders come from finance and sales roles, not technical roles. They focus on increasing sales and profits, decreasing costs. Spending money on IT has always been hard to justify, because the ROI never seems to materialize. Reduced labor costs don't come true due to people being reassigned once automation takes care of something they used to do. Showing an ROI on a security investment? I just don't see that happening right now. Once enough companies are made to feel the pain of not securing their infrastructure, maybe others will start doing so. Proving the value now is probably not possible given how leaders tend to value investment.