Ponemon Institute did a study of IT security in the energy industry. 75% admit to having suffered a data breach in the last 12 months. 71% of IT Security executives at global energy producers state that their executive management team does not understand or appreciate the value of IT Security.

Some would say this this is criminal negligence. Perhaps not criminal, but clearly negligent. Meanwhile, in Massachusetts failure to maintain good IT security practices, including plugging security holes that result in data breaches, now brings big fines. Is that really what it is going to take to get organizations to take IT Security and privacy seriously?

Maybe we need a “Sarbanes-Oxley” for CIOs. That idea makes my skin crawl, but I do sometimes feel like you need to hit people over the head with a really big club before they take something seriously.