GDPR/NIS Directive Fines… it forces those who don’t do anything to at least do something?

Did you know that I recently informed — a few months ago — the Chair of the Board of a significant organisation that there was a major security risk on their infrastructure, and that it would put citizen’s data at a major risk. I am still waiting for a reply. I thus still believe that some executives do not take Cyber Security seriously, and want just sweep it away because it is too technical for them. So is there an increasing tension between the CEO and the CTO?