mixture

I think what Sony demonstrates to us is the importance of regular penetration testing by a competent independent third-party contractor.

In regulated industries (e.g. finance and healthcare) pentests are largely becoming the norm because the alternative of the increasingly tech-savvy regulator breathing down your back and issuing eyewatering fines is not an attractive alternative.

In "unregulated" sectors, the extent and quality of pentesting and general IT security awareness varies widely.

When you get to an IT infrastructure the size of Sony, and especially if you are operating significant IT infrastructure under such an attractive brand, you do need to constantly work hard to keep on top of things .... both in terms of security itself as well as security related matters such as software updates and staff awareness. Its not impossible, but its hard work and requires buy-in from everyone board level down.

On one hand I feel sorry for Sony because I know just how easy it is for one small overlooked item to provide an exploitable point of entry. I've seen exploits at secure facilities where pentesters demonstrated an exploit leveraged over a WiFi network that was on a separate network to the main networks, they were able to show the board CCTV footage from the facility....all down to the pentesters making use of a vulnerability because someone hadn't updated software on something.

On the other hand given the financial and staff resources available to their CIO and CSO it is somewhat inexcusable ... ESPECIALLY as the Sony brand has already been attacked elsewhere in recent years (e.g. the Playstation saga), that should have been a bit of a wake up call.