In 2005, Sony Pictures Entertainment was audited to ensure the company was keeping in line with federal regulation regarding information security practices. The auditor found, among other things, that Sony had deliberately engaged in insufficient digital security practices...
If Sony were a bank, the auditor said, its lackluster security practices would put it out of business.
Sony’s then-executive director of security information Jason Spaltro pushed back: If a bank was a Hollywood film studio, he said, it would already be out of business.
“It’s a valid business decision to accept the risk (of a cyberattack),” Spaltro told CIO Magazine in 2007. “I will not invest $10 million to avoid a possible $1 million loss.”