And I don't envy their position at all. CIOs have never been given the authority to say "no" to new technology and quickly find themselves looking for work if they have the cajones to tell a CEO they're daft for wanting to implement BYOD in order to save a buck or two. Yet, who's in the hot seat when they implement all the things the CEO and board members want them to do and the shit hits the fan? It sure isn't the CEO or board. Throwing more money at security won't do a damned thing to fix it. What needs to happen is CIOs should be given absolute authority when it comes to their networks and company assets. CEO wants to use his personal phone on the network? No. Sales staff wants new iPads to connect remotely from the field? No. Any request that impacts the performance and security of the network should never be left to the CEO as the final decision making authority. Invariably, the short term impact on the bottom line is going to be the deciding factor which will most likely bite them in the ass in the long run. We're going to continue to see these breaches, and all across the nation, board members are going to scratch their heads, gnash their teeth, and wail that they don't understand why it happened. They only need to look in the mirror to see who's responsible.