[danpalmer]

Pentesting and auditing aren't great solutions here. They can be useful on small scopes but a big system like this, it's unlikely to be hugely impactful – it will find things, but who knows if it finds enough.

In the UK in the wake of the 2008 banking crisis, a number of positions in banks became criminally liable for issues under them. If you're director-level or above (I think?) then you may be ultimately put in prison for negligence or issues like that which occur in your department. This is rare, not sure if it's been used yet, but it effected a cultural change in consumer banking as a bunch of execs suddenly had their necks on the line if someone under them did something wrong. I don't believe this is too hard-line in practice, I think a defence is "look at all these reasonable steps we take, we couldn't have foreseen this", but it had the impact (source, a good friend of mine is bordering on this level in a UK bank).

I wonder if a similar thing could work in a wider way across more industries - not with the intention of criminally punishing lots of people, but with the aim to change the culture around responsibility to the public and other stakeholders in the work that we do.