John Carlin, former assistant attorney general for national security at the Department of Justice (DOJ), was working in government when the Office of Personnel Management (OPM) was the target of a massive hack in 2015. And Carlin noticed a troubling trend–the cabinet leaders didn’t understand the security risks associated with their system’s weaknesses.

When OPM was attacked, more than 20 million personal records were exposed. OPM was hacked twice, and the attackers gained access to information such as social security numbers for past, current, and future employees.

SEE: Security awareness and training policy template (Tech Pro Research)

When President Obama tried to call the cabinet leaders into a meeting about the hack, it took three separate tries to get them all to show up. They simply didn’t understand the weight of what was happening.

Despite the lack of oversight in certain government entities, Carlin said that he sees the same thing among business leaders. IT specialists may understand the threat landscape, but many business leaders don’t. And where the government may be trying to provide safety and security for citizens, for businesses, the risk is against your core offerings.