Which IT person would you blame? (Score 2, Insightful)

Seriously, having worked in IT Security for some time and done numerous "compliance" projects. Compliance takes time and costs money. Too many times I have been told "we just don't have the money for that this year." Corporations commonly engage in the 'risk' game where they risk it for as long as they can. Until the bank stops taking their credit cards (in the case of PCI Compliance) or there is an actual public breach - the risk is quite low. I'm not against criminal charges but they should be levied on a corporate officer and not the rank and file IT person. This person has zero responsibility for the financial decisions required to keep data safe. I make recommendations until I am blue in the face but until management realizes the risk to them - they won't touch it with someone else's ten foot pole.