Firing the executive is not necessarily the right thing, because of the nature of security failures. Of course negligence is one thing, but often it's a matter of the company simply being outmaneuvered or out smarted by a very clever adversary (after all the US military and intelligence agencies have been successfully hacked)

Security is a complex business. It looks like in the Marriot case, they acquired another chain. Even with due diligence (and there is a limit to how deeply you can go into another organization's system before a merger) neither organization knew about the breach until Marriot started to prepare to merge the systems. The stolen data was encrypted by the attackers and there was some time before it could even be determined what it was.

Except in cases of negligence, a company's best option is to KEEP the good people, and bring in experts to resolve the issue, not perform a ritual sacrifice.