Re: I have no idea what the solution should be.
perhaps it's just as simple as cost balance. Currently, security for biz is very much considered 'necessary evil' - and 'cost-optimised' as much as possible. Until your business is hit that is, and all those savings go up in smoke. But if this business loss becomes significant and widespread, the system will need to re-adjust itself by investing more time and more effort, more... dilligence. Not throwing money at 'security' (well, that will happen too), but spending money on solutions that work. Which generally goes with 'quality'. The system will have to try to solve this, at a point where the losses become too large for the management to ignore. Rather than delegating the shit down the ranks, i.e. 'something needs to be done, I don't care how and what!', something will really have to be done, because delegation and dilution of responsibily won't make this problem go away, quite the opposite.
Incidentally, the interview supported me opinion that all that talk in the West about evil! Russian! Chinese! regimes! controlling their evil! hacking! gangs! wreaking havoc! on innocents! is just bullshit used simply to drum up public support for the us v. them polarisation, and it's working in the West very nicely, likewise in the East. I'm pretty sure those evil regimes, like our peace loving democracies, have their own cyber-teams, and most likely control some hacking groups and use others, but not as widely as painted by Western governments. If anything, most probably it's the last option, a natural world symbiosis: as long as the hackers stay away from monther Russia's assets, they're given free ride, and from time to time asked for special 'favours'. And it wouldn't make sense to refuse such favours, of course, as Russian oligarchs have found out.