[libdjml]

This is a huge unsolved problem in journalism: reporting whether a company was wildly negligible and deserved to be punished, or did the right things and fell victim to “no org can be bulletproof”

Some standards like PCI attempt to do this, but to date they have no real teeth. GDPR may be the change we need.

I have deep concern that C-levels will learn that breaches don’t matter, just have a CISO you can behead and replace when it does.

[lilott8]

There are certain things that are, collectively, patently negligent: storing passwords in plain text, not salting passwords, not using, at a minimum, software firewalls, etc. Those are fairly boolean. It's also fair to assume that any company that is hit with a 0-day is not negligent; even the best prepared companies are susceptible to them. So there is some decent guidelines to rely upon to demonstrate negligence or not on the extremes. Of course, in the middle it does, admittedly a bit gray. But the teeth that come into play would look exactly like GDPR.

Yes, I agree completely, that C-levels will see that the CISO is a replaceable widget that is nothing more than a scapegoat.