I think it is creeping out of the shadows but believe that is being caused by all the noise, etc. being generated by Ransomware and a lot of the new regulations that are now facing organizations (GDPR, CCPA, HIPAA, etc....). Sarbannes-Oxley started us down the path but the latest additions have pushed us over the top.
Iin the past, we could talk to management about Security and the issues (the risk, the threat), etc. and were mostly ignored. We did get attention if there was a breach (either ours or close to home) but then when the buzz died down so did the funds and the attention.
Board audit committees are actively asking questions about how organizations are protecting themselve and staying within the letter of the law.
Hell yay. Some years back the decision-makers in environments I worked in would see Information Security as an unnecessary expense --- their usual attitude was 'leave well enough alone' or 'if it isn't broken don't fix it.'
Nowadays, it's seen as essential, particularly because regulatory authorities mandate it --- at least where I'm based right now. (Saudi Arabia)
In the event of attacks on the IT infrastructure, the stakeholders may have to justify the inadequacy of compliance with IT security requirements.