At the moment I am studying for the CISSP (Certified Information Systems Security Professional). The CISSP is a high level security cert, and here is a direct quote:

"Security governance is not and should not be treated as an IT issue only. Instead, security affects every aspect of an organization. It is no longer just something the IT staff can handle on their own. Security is a business operations issue. Security is an organizational process, not just something the IT geeks do behind the scenes."

It goes on to emphasize that senior management must be engaged in business security and that they have the ultimate responsibility, not the IT department.

This dude received compensation in the tens of millions, yet apparently didn't understand how a critical part of his company operated. To me this is a clear failure of due care. This CEO should man up and take responsibility. You get paid crazy money for a reason.