From what I've observed:

a) There's no leadership buy-in on data protection. Leadership is too focused on profit drivers and sees data protection as a necessary evil. Or something they must "respond/react" to instead of proactively building into their culture.
b) The most "at risk" functions--Marketing/sales other customer-facing areas don't prioritize it. Their argument is--if we're not in the business of data protection, why bother with all the effort?
c) Data protection measures (certifications, data security tools) are seen as good-to-haves and not must-haves.

The current environment heavily favors aggressors, ie those perpetrating attacks. They can innovate unimpeded, they have a large ROI for new technology.
Defenders don't even understand the attacks that are coming out now. It would require a large research effort to understand them and a huge investment to effectively mitigate *just the ones we know about*.
Because new attacks are constantly being invented, this so far is a losing game, Kobayashi Maru (Star Trek II reference, look it up). All we can do is deal with loss in the best way possible.
That means minimizing response times, automating port closures or account lock-outs, bringing more computational power to bear on analytics, scripting and smarts as part of the defender's toolkit. Always assume there is an attack ongoing, that you will be compromised. Be prepared to quarantine, wipe and rebuild machines with as low a cost as possible.
The new hardware hacks (implants, see also SuperMicro) make this more expensive to mitigate, but again it is about fast response, confident and decisive actions to prevent the same attack succeeding again. Defenders have to force innovation on the attackers, make them pay for the research first, pay to keep running old attacks that don't work.

Living in the mountains of the US, there is a saying, "There are two types of people, those who have hit a deer and those who will." Same thing for breaches. And once you hit that deer, your driving habits change. Same for cyber strategy. In regulated environments, the companies expect their quick response to reduce the fines and focus. Sometimes it works. Regardless, they finally make the investment in cyber.

The question we should be asking is how to do we push companies to invest in cyber before a breach/incident? That is the magic.

It is a continuous race between organizations and attackers. One day the one side has an advantage and then the other. The week link is often not the IT-protection itself, but the human employee, as awareness is lacking. Often the sophisticated IT-protection could be bypassed by a low-tech-attack.

It's a serious of tubes.

Companies will stop having breeches when their hackers are smarter than those on the outside of the company. Attacks will continue but breeches should be manageable. Better sentinel monitoring powered by pattern sniffing AI will aid in the reduction of breeches but will not eliminate them altogether.

Data protection strategies against cyber attacks should be mandated simultaneously with the initiation of any business that is at risk of attacks. These companies should be severely punished when their lack of caring for the interests of their clients become less important that their profits.

Employers need to be plugged in at all times, without internet access at work, employees feel restricted - like mental prison, there is a need to stay connected-even at work. Accessing external websites at work requires better screening protocols.

Saw this today. Thought it might be helpful:

https://www.wired.com/story/worst-hacks-2018-facebook-marriott-quora/amp