Worse, the "upper management" will assume it was a talent / investment problem since "they sunk so much money into security". Oh that darn booming industry.
"To think we paid those security consultants so much money to protect our completely unencrypted and exposed database and we still got hacked.
And they had the nerve to suggest we replace this unencrypted database, which an old legacy system needs entirely open root access to with something secure for an eye watering bill - we don't hire security consultants to replace our legacy systems, we pay them to stop unauthorised people accessing the big pile of data we leave in the open.
Get the gall - they even wanted us to change the interface between our two big legacy systems because it was just a CSV file which contained all our sensitive data on it. Wimps! Especially as we told them they could do anything to make our systems secure, as long as they didn't touch those legacy systems."
