Often the value is only apparent when stuff goes wrong - “wow we’re lucky we made folks use 2FA because it saved our business” - but if you do it right you hopefully don’t end up with stuff going wrong and then also not reveal the actual value of prevention.
So you end up in a weird sort of limbo of “that will never happen to my company!” Until it does. Then it’s top priority and “why were we not doing this all along?! Our people are idiots!” Except the people saying that were also the people that dropped the security budget and cancelled the security projects and initiatives.
