Manure rolls downhill Since I live on a horse ranch with some slight hills, I can attest this to be true. At least, it's true for horses and it's true for short distances. Manure isn't very friction free and often ceases movement quickly. The same isn't likely true for bull droppings, but I haven't done much testing in that area.
Most of us would agree that those that are negligent in their jobs, especially with regard to security, ought to be punished. In some cases, this should lead to termination, though I think many of us technical people would prefer that management who doesn't budget resources for security be the ones punished.
I mentioned manure rolls downhill, and this article on the after effects of data breaches bears that out. Not only were there record numbers of issues last year, but the typical cost is nearly $4million. That's likely some very expensive breaches and lots of relatively inexpensive ones, but even the low cost ones probably feel expensive to small companies that experience them. In the lists of breaches I've seen, lots of smaller firms (retail, law, etc.) are included, and tens of thousands of dollars might be expensive for them.
One thing that article points out, there are an increasing number of C-level executives being terminated after breaches. I'd like to think that's good, but I'm somewhat pessimistic that the next hire will find ways to improve security. There are lots of impediments to fundamental change in more organizations, so I suspect this trend leads more to short term employment for CIOs and others, and likely higher demands for salaries because of the risk of security issues inside the company. The further puts pressure on budgets, which is another impediment to better security.
Note that it's not just IT execs, but non-IT staff as well. Maybe I'll be wrong and this will make a difference. Of course, IT staff are let go as well, often blamed for issues. There will always be some security issues, but I urge those of you with privileged accounts and access to sensitive data to be careful with your credentials and work to improve security when you see issues. Get written documentation when someone doesn't allow security changes, in addition to noting your requests. This might not stop a data breach, but perhaps it will give you a better chance of not being blamed for security incidents.
