@beyondmachines1 Unfortunately, there's also "who'll install a vendor solution which ticks various boxes but in actuality reduces overall security within the organisation?"
I've seen a lot of "install vendor X $$$$$ virtual platform solution which ticks off boxes A, B and C in our consultant supplied checklist of buzzword compliance" followed by "we don't have money to do basics such as setting up certificate management or enabling HTTPS on our website".
@psa @beyondmachines1
But LEGALLY you are more secure.
Sadly, the legal department has not yet grasped that the bad guys don't honour contracts.
So yes, you might have a great contract with a 3rd party to keep you secure, but it's irrelevant if the 3rd party is incapable of keeping itself secure. (And having 100 Fortune 500 customers depend on them for their IT security puts basically targets on their backs for state backed bad boys. Oops.)
@yacc143 @psa here's the pinnacle of useless legalism:
Australian law form HWL Ebsworth obtained a court injunction to stop anyone touching the stolen client and employee data.
The criminals don't really care whether there's an injunction or not - they have already committed to being criminals.
The legal injunction just hampered the investigation of the event and transparency of learning more about it.
But, the lawyers did the lawyering!
BeyondMachines 
Paul Armstrong
Andreas K