@Steve Keller part III
"no standards for real data security"???? Has anyone ever bothered to look at RFC2196? Google it if you aren't familiar.
The CISO must to build a team that feels empowered to make the right choices when it comes to security basics. Shifting blame from Net Admin to CISO does not make sense either though as Security is a collective function of several moving parts.
Insofar as JC Penny's culpability, they are still responsible for the data even if handed off to a third party.