Not a bad read, but interestingly it seems to focus more on boards than C-suite/senior management, which I find to be a good thing. In my experience, having worn the hats of employee, consultant, manager, and board member, the biggest challenge is getting security up to the board level so that it can be propagated as policy. Sure, you can try to do things at other levels, but these efforts/focus eventually stall. The problem is if you do get to the board, the board response is "oh that's someone else's problem." It's not just security by the way. Boards just fail to understand policy and think in terms of strategy rather than operations or ad hoc decisions.
A lot of that reflects the nudist colony of boards and C-suites, where they think they are clothed in magnificent knowledge and insight and yet have little command of organizational governance. Part of that is ego - when you have a group of business "all stars," they can be the worst team - but I think a larger factor is no one is teaching or even respecting governance anymore. It's "ends justify the means" capped off with a speech loaded with smoke-and-mirror phrases like "collective synergies," "social equity," and "strategic pivoting."
Granted, that is a sweeping, curmudgeonly, generalization, but I think the challenge experienced by many organizations is that boards don't understand their job but neither do they want to be told what it is.