I'm not so sure (yet) there is a correlation between getting a CAE designation and being hacked/compromised. Some time ago, we had a hit on a phone server that we were decommissioning. But because I am generally security paranoid, I had cordoned that server from the rest of the population, since external contractors would work on it. This was the Revil Kasaya breach from June-ish of last year. Contractor left the door open and our server got breached. It could have been a lot worse, but #paranoid. That doesn't mean my measures were anything special - I think we just dodged a bullet. There's probably another one out there right now, just waiting to be fired off and it scares the crap out of me, and that's even after doing a NIST 800-171 sweep checklist of the network some time ago.
One of my personal security commandments (and some would argue with me), is that security by obscurity is not security at all. I still believe this because of bots and various tireless threat actors in various regions of the world. Like, why would the Russians seek to compromise a small, 1200 student college like us? Because we were another target in a long list of IP addresses out there. We were deluged last year by DDoS attacks (and still get them) because we turned on a fiber circuit, ranging from 2500 - 30000 zombies attacking our internet pipe. Why? Because we're out there.
You're always a target, regardless if you have a badge of excellence or not.
In my experience, few organizations really spend the amount of money that they need to spend for a level of cyber protection - instead, transferring the risk by getting cyber insurance. More and more, we see one person covering multiple buildings and campuses. And in higher ed, as we've talked about here on CIN, getting qualified people in to teach and work is a challenge because there's no real money in education (despite what the detractors of proprietary education say). IT has to work from a shoestring budget and hope that countermeasures put in place will alleviate enough risk to make one be able to sleep at night.
If you take a school like Lincoln or Western Adventist that has less than 1000 students, I can almost guarantee that they may have one or two active IT staff for the school. Not nearly enough to cover everything. And the hackers know this, all too well.
I suspect a designation like CAE will help when negotiating premiums for cyber insurance, or it may not. But I can also surmise that it can create a false sense of security.
/r