Re: I don't know about licensing
Fair point...but companies fail to listen all the time, and if the monetary damages were low enough per incident, they might still have the incentive to not invest in proper controls.
If you read the document, one of the points the insurance company alleges is that anonymous FTP was left open to the Internet, and people were able to just walk in and browse the filesystem. That's amateur hour, not some sophisticated attack requiring probing of OS components and crafting just the right magic packet to trigger a vulnerability, or an elaborate trick requiring smuggling hardware into the network. It just smells like what I experience a lot, an underpaid, stressed out consultant making a tiny percentage of his company's bill rate making a dumb mistake simply because they have no incentive to do it right.
So, I say that IT and SW development should be split into technician class and engineer class positions. Technicians do what they do today, fix bugs, monitor systems, support users. As they gain experience, they gain responsibility and salary. When they get to the licensed engineer stage, they prove they have a minimum amount of education and experience, pass an exam, and get assigned the big-boy/girl work. With that power and money comes the responsibility of being liable for screw-ups, something that is sorely lacking today.