While there’s a lot of talk about cybersecurity being a top priority among high-level executives, something’s missing from the conversation, and it’s detrimental to the health of an organization.

A new report, published by AttackIQ and conducted by Ponemon Institute, surveyed 577 IT security practitioners in the United States who are knowledgeable about their organizations’ IT security strategy, tactics, and technology investments. The report found that those in leadership positions aren’t playing active roles in ensuring the effectiveness of cybersecurity strategies, which sends the wrong message to the organizations they lead.

Instead of being proactive, many high-level executives are putting their companies at risk by simply reacting to security breaches as they arise, ignoring contrary advice from IT professionals.

Without the proper security precautions in place ahead of time, a cyberattack is more likely to cause significant damage to a company’s IT infrastructure. Despite this, many organizations aren’t heeding the continued warnings from cybersecurity professionals about proactively mitigating risks.

Blatantly ignoring common practice and carelessly putting themselves in harm’s way, sixty-nine percent of organizations are taking an incident-driven approach to cybersecurity strategies, according to the study. The IT professionals within these organizations don’t drive this mindset; it’s pushed down from the top, from the board of directors and senior leadership team members, many of whom lack a clear understanding of what’s necessary to secure networks and systems in an ever-evolving threat landscape, one growing increasingly complex by the day.

Even though it’s evident these high-level executives are implementing counterintuitive cybersecurity policies, they’re aware of their shortcomings. Seventy-one percent of them admit they have gaps in their knowledge on main cyber threats facing businesses today, according to a survey published by Nominet. Their organizations’ IT infrastructures are suffering. As a result, they are remaining vulnerable to the countless number of cyber attacks launched daily.

Fifty-six percent of these IT security infrastructures have gaps in coverage, which makes it a lot easier for cybercriminals to exploit these systems and networks, according to AttackIQ’s report.

Until there’s a breach, board members and senior leadership typically aren’t actively engaged in cybersecurity discussions at their organizations. While 63 percent of IT security leadership members at organizations don’t meet with their boards regularly, 40 percent don’t report to their boards at all, according to the study. This lack of urgency on cybersecurity issues trickles down throughout their organizations, indirectly impacting how their IT security leadership teams monitor and measure their IT security infrastructures.

For IT professionals, being able to assess risk posture is key to properly protecting an organization’s IT infrastructure from internal and external threats. Without the proper tools, IT professionals are unable to generate adequate and accurate information on IT security posture, which puts their organizations at risk; instead of closing security gaps, these IT professionals have their hands tied, but more importantly, their organizations’ IT infrastructures are not secure — prone to cyberattacks.

Unfortunately, this is common among organizations. Forty percent of IT security professionals in organizations don’t track IT security postures at all, according to AttackIQ’s report. Even when they have measurement and metrics tools, IT security professionals aren’t satisfied with the results.

Often, the tools aren’t up to their standards. For instance, only 24 percent of IT professionals believe the measurement and metrics program their organizations are using are mature enough, while another 30 percent claim they’re using partial metrics programs, neither of which is satisfactory.

Leaders at the top need to play an active role in ensuring their IT professionals have what’s required to ensure the proper cybersecurity strategies in place to protect their organizations from malicious actors looking to infiltrate their networks and systems.