[IndPhysiker]

Information security is a boondoggle for high levels anywhere as there are no repercussions for failure. Neither CEOs nor high level government officials give it the respect it is due because it is expected and they can all point the blame somewhere else and feel no pain. Compare export control laws that have individual implications that a company cannot cover in the case of a violation, while cyber security breaches have no similar penalty. If a law were made to impose fines of 2-3 times the total compensation package of C-level management for one or more years including unvested stocks and unexercised options, then I'm sure we would see security departments expand rapidly as a CYA. The buck should stop at the top, but without laws to force the issue, it won't.