Re: Oh dear. Same old tricks still working.
CIO is probably not the problem. The CIO on their own is likely not sufficient to enact change as they still need to rely on budget approvals from other people. The CEO and the entire board of directors (including the chairman) need to be liable. Only then will START to change.
I am starting to think that people that say antivirus/antimalware/IDS and IPS are the wrong solution are correct. Antivirus/antimailware only work once the signature of an attack is known. Most IDS and IPS are set up the same way, look for known attack traffic and then respond.
No, you need to set up your systems to allow known legitimate traffic/files/applications and block everything else (i.e. whitelist good stuff, not blacklist known bad stuff). Only then will security start becoming effective.