The thing that became evident to me with this breach and the long-delayed response from Uber about their breach was the the following is one way to look at a company's ability to deal with the reality of the internet.
First, there is the overall company culture. If employees, top to bottom, care about the company, its mission, and what they are doing day to day, it makes it feasible to introduce a security culture.
Secondly, technical competence, top to bottom. Not understanding the importance of patching (didn't they tell congress that it was too hard?), or the fact that that your customer outreach web site should be part of your already existing domain, as opposed to a totally independent easily spoofable domain that can even fool your social media guy.
Third, a serious security team. Penetration testing, security awareness training, logging/monitoring. But a crack security team is hard-pressed to overcome weakness in the other two.
