We’ve got a serious problem in this industry. Not the kind that shows up on a risk register or a compliance checklist. I’m talking about the complete lack of real accountability when information security fails.
The Same Old Story
Massive breach?
No worries. Slap together a PR statement filled with buzzwords (“sophisticated threat actor,” “zero-day vulnerability,” “we take your security seriously”), toss a CISO under the bus, and hope it all fades from the headlines.
And it usually does.
People’s personal information gets exposed. Systems that run critical services go offline. The impact is real. But the people responsible? They walk away unscathed, land cushy jobs elsewhere, or just wait for the heat to die down.
That’s not justice. That’s theater.
Why Does No One Pay the Price?
Because the system was never built for accountability. We’ve created a culture where:
- Leadership ignores risk advice and no one bats an eye.
- Security teams get blamed for failures they had no authority to prevent.
- Compliance gets treated as the finish line instead of the baseline.
- Executives and board members hide behind ignorance and legal teams.
We’ve allowed this to become normal. It shouldn’t be.
The Law Is Outdated and Toothless
Part of the problem is that our laws haven’t kept up with reality. Most of the legal frameworks around data protection and cybersecurity were written decades ago by people who had little to no understanding of how technology—or security—actually works.
The result?
- Companies follow the letter of the law, not the intent.
It’s all about minimum effort for maximum cover. If it’s not required, it’s not done.
- The legal community is mostly clueless.
Judges, lawyers, regulators—most of them don’t understand basic information security principles. That’s not an insult; it’s just the truth.
- “Negligence” is a gray area at best.
What does it even mean to be negligent in security? Is it ignoring basic controls? Is it failing to patch a system for a year? Nobody agrees, and that ambiguity protects the wrong people.
Meanwhile, companies keep shipping garbage software riddled with vulnerabilities, and no one is held accountable for that either.
Big Tech Gets a Free Pass
Let’s talk about software.
Some of the largest, most powerful companies in the world build products that are fundamentally insecure. They know it. We know it. But they do it anyway—because it’s cheaper, faster, and easier to sell. Security gets bolted on later, maybe.
Where are the consequences?
- When insecure software becomes the entry point for a ransomware attack?
- When a critical system goes down because of a known flaw that was never fixed?
- When millions of users are impacted because someone prioritized speed over safety?
Crickets.
These companies aren’t just cutting corners—they’re profiting from them. And we let them.
So, What Do We Do?
Fixing this won’t be easy, but it starts with telling the truth—even when it’s uncomfortable.
We need to:
- Define accountability clearly. Not in some abstract sense, but in practical, enforceable terms. If you make decisions that lead to failure, you own the outcome.
- Give CISOs real authority—or stop blaming them. You can’t have it both ways.
- Stop pretending compliance = security. Most major breaches happened at “compliant” organizations. Enough said.
- Update the laws and educate the legal system. We need rules that reflect today’s threats, written and enforced by people who actually understand them.
- Start holding vendors and software makers accountable. If you build unsafe products, there should be consequences. Period.
No More Excuses
Security failures keep happening because we let them. No one’s watching the watchers. No one’s holding the right people accountable. Until that changes, nothing else will.
You want to fix the industry?
Start here.
– Evan
P.S. Poor choices have consequences. This post has become the foundation for Episode #27 of the InfoSec to Insanity podcast. Watch us record the show LIVE on Thursday night and share your thoughts. It will definitely be interesting, if not entertaining!
