> OP's a realistic. His perspective is nothing to do with how a company values security.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.