Many times. Before the first high profile hacks (that I remember) in 2011, Sony's CTO made a career of giving high profile talks about, essentially, reducing your IT budget by not doing security. Don't do pentests, don't do audits - they only uncover issues for your teams to fix! Certifications are an industry that sells you problems, he said. Ignore and skimp on the whole thing. IIRC there was even a great talk about how to ignore your engineers when they say something is urgent.
He didn't get fired after the first round of hacks, and he wasn't fired after the 2014 round either. I wonder where he is now?
Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don't waste your time or bankrupt your company.
The person this seems to be referring to, according to info in the article posted in a sibling comment and a Time article [0] about the 2014 hack, is Jason Spaltro, executive director of information security.
An interesting piece of info in the Time article is that Sony only had 3 people working on infosec, excluding managers.
Not so inflammatory at the time. Those were wild days. Someone else posted his CIO article about "just enough compliance", but IIRC there were talk summaries and interviews around, too.
And for the comedy factor: those hacks were dictionary password attacks against leaked usernames, and a plain text file left laying on an open network share with key credentials. Not exactly oceans' eleven.
