There's a great deal more than just regulations. I'd argue that for one line item of regulation in most poorly organized enterprises (most) you will get at least 10 jobs of bureaucracy to help track it not because of the regulation but because the culture of most companies is about disempowering employees from making decisions as much as possible. This is why the cultural definition of "devops" invoking Deming and empowering workers to make decisions closer to the problem site to me is literally against the existing company culture of Taylorism and sales where managers are worshipped for decision making.
Nobody really fined Target for its data breaches - pretty sure that PCI audits had passed repeatedly, in fact. Their stock easily recovered as well. So why are big companies so worried about security? Because breaches are a drag upon everyone and slows down features and improvements. I'm familiar with environments where change freezes are enacted for months after every critical outage, and nobody's regulations say to do anything like that. That's purely a belief in the false equivalency that stability and development velocity are antitheses. Gosh, someone tell Google and Amazon to fire their SREs and stop deploying any new code to get better availability numbers!
Nobody really fined Target for its data breaches - pretty sure that PCI audits had passed repeatedly, in fact. Their stock easily recovered as well. So why are big companies so worried about security? Because breaches are a drag upon everyone and slows down features and improvements. I'm familiar with environments where change freezes are enacted for months after every critical outage, and nobody's regulations say to do anything like that. That's purely a belief in the false equivalency that stability and development velocity are antitheses. Gosh, someone tell Google and Amazon to fire their SREs and stop deploying any new code to get better availability numbers!