One thing that can be a challenge is the tendency to fight the last battle instead of preparing for the next one. For example, Sony had millions of users' data compromised in a well-publicised breach in 2012. It responded by taking a number of steps to prevent the same thing happening again. That's good, but if a company stops there it's not good enough.
Also, a company has to share what it learns from one breach with all the divisions/departments within itself. Because Sony has a very siloed structure, the Sony Pictures division learned nothing from SCE's unfortunate (and very costly) experience, and they had another huge data breach in that division. There has to be some procedures in place to share information across the company to improve security - each division can't act as it's own fiefdom and effectively collaborate on security solutions.