Once upon a time. I was told by the Head of IT a Vice President in fact my job was to make sure the company did not get HACKED. the words were "Don't Get Hacked"
Needless to say that same VP didn't like my designs, nor did they get implemented. Since that time that company has been hacked by solarwinds (Russia) , the Exchange hack (China), the Pulse Secure Hack (not sure who is taking credit for that one yet) and those are just the public ones we have heard.
So when someone says Don't get Hacked in executive management it really is just public relations they don't actually mean it. Did Said VP Get fired? No, I'm sure that person even got their Bonus.
Even with a 100 or a 1000 people in security trying to do the right thing, all it takes is one Senior Executive to undermined the work of millions of man hours.
Just like we have SOX for Finance we need a "SOX" for IT Security, with Criminal punishment's to hold people accountable. The unfortune or maybe fortune? thing is we haven't hit that MCI/ENRON Critical Melt down yet to make it happen. It is going to be a scary day when something the size of the MCI/Worldcomm/Enron failure comes to IT. Is it something that can even be recovered from? We are past the time to act we need currently laws enforced with hard penalties (HIPAA, HITECH act are currently only used to give a slap on the wrist, if that).
Something to ponder on. Spend Millions even Billions on security, and one person can undo all those efforts with no consequences.
Read more at Woods LLP