It seems anymore, when you read the news, that companies are experiencing security breaches of the customers personal information and credit card data. The company assures customers that it is because the system recently got hacked or had a flaw which allowed someone into the system. I find that hard to believe.
You tell me that an IT department of a major company such as Target or Home Depot didn't realize they had errors in their security. That the problem just appeared and wasn't always vulnerable to attack. I find that hard to believe. Actually, the problem was always there but it wasn't a problem until something happened. Someone in the organization decided that it was an acceptable risk to take to leave the network security vulnerable.
Granted, there is always the possibility that the IT department didn't know there was an issue or that their server had been compromised, which makes them incompetent. So, either way the company is responsible for securing this data and implementing appropriate fixes before they become an issue. The problem with IT security is that no one wants to devote the money to apply what the IT personnel recommend. Since it is not a physical threat seen, most organizations only commit funds and programs that they can see a tangible result.
If the news tells us one thing it is, in today's business world IT security programs must be in the front of every business objective and must stay current with the technology as it advances. If not, then you put all the organizations data at risk and ultimately are lying to yourself and your customers when you say everything is secure.