"brought cybercrime to the forefront of discussion among CEOs and boards of directors"
What hasn't joined 'discussion' yet at that 'forefront' is the Board's recognition that, without application of substantial resources most organisations remain wide open to even quite trivial attacks. The myth of the "sophisticated adversary" is for most victims, just that -- a myth.
Until infosec is properly funded and fully integrated into the corporate risk strategy, there's little point in focusing on the perps. Until then, what's needed is recognition of, and response to, the fact of being still a soft target.
Interestingly, the new version of the NIST Cybersecurity Framework, released on Feb 26th, is the first version to incorporate a governance function. Since the framework was first released in 2014, it's only taken a decade for this to register as necessary. This does typify the fundamental problem, doesn't it.