The priority given to cyber-security in an organisation will vary with its sector, location, culture & applicable regulations.
In an organisation motivated by financial gains, the provision of cyber-security would require convincing the top-management to budget it --- & you may have the misfortune of having to do this.
In an organisation that must comply with government regulations, the provision of cyber-security will depend on regulations & their enforcement --- but these factors may be out of your hands.
@CISOScott, you're spot on about the inability of an organization to fill a gap that it's not even aware of. It's an essential step to perform a GAP analysis to determine where an organisation falls short, and then use this to develop & enforce controls that would address shortcomings.
While the ultimate goal of Information Security is to prevent things from going wrong, its implementation often depends on things going wrong to start with...