I understand that isn’t what’s being suggested. What I’m suggesting is that there is perhaps a distortion of the common idea of who is “responsible” for something. I think the idea that fault bubbles up to the highest level in the chain of command is silly. Fault is distributed across the entire chain, and if we want to address this issue, we can’t ignore that.
To draw an analogy, if someone’s 16-year-old child is texting while driving and gets in a car accident, is their parent to blame? Most people could see that there is some fault on the part of both the parent (for perhaps not emphasizing enough the importance of safety while driving), and the child (for doing something they know is unsafe). And this fault exists in a continuum; maybe the parent told their child every day to not text while driving, and the child did it anyway. Maybe the parent never told them anything about safe driving habits, so the child had never considered that texting while driving was unsafe.
My point is that pretending that the highest C-suite executive is wholly responsible for everything that goes on in the company is extreme. Everyone along the entire chain of command has to do their part to ensure secure products are shipped - the executive needs to prioritize it, hire the right people to develop a plan, ensure people are enforcing the plan, etc., all the way down to the software engineers, the cleaning staff, etc. If one link in that chain breaks, the entire system fails, and it could be because of a weakness anywhere along the chain.
I agree with your view completely. There is nuance, and there should often be blame at multiple levels. At the same time, there is a basis for the common view, which is that higher ups create the incentive structures from which most things flow. If it turns out the incentives here were well made by the brass, I'd retract my jumped-to conclusion. But it rarely turns out that way, which is why I jumped to it.
To draw an analogy, if someone’s 16-year-old child is texting while driving and gets in a car accident, is their parent to blame? Most people could see that there is some fault on the part of both the parent (for perhaps not emphasizing enough the importance of safety while driving), and the child (for doing something they know is unsafe). And this fault exists in a continuum; maybe the parent told their child every day to not text while driving, and the child did it anyway. Maybe the parent never told them anything about safe driving habits, so the child had never considered that texting while driving was unsafe.
My point is that pretending that the highest C-suite executive is wholly responsible for everything that goes on in the company is extreme. Everyone along the entire chain of command has to do their part to ensure secure products are shipped - the executive needs to prioritize it, hire the right people to develop a plan, ensure people are enforcing the plan, etc., all the way down to the software engineers, the cleaning staff, etc. If one link in that chain breaks, the entire system fails, and it could be because of a weakness anywhere along the chain.