Facebook’s security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet.

Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company.

“The threats that we are facing have increased significantly and the quality of the adversaries that we are facing,” he said. “Both technically and from a cultural perspective I don’t feel like we have caught up with our responsibility.”

“The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost,” he said.

Stamos added: “We have made intentional decisions to give access to data and systems to engineers to make them ‘move fast’ but that creates other issues for us.”

The security chief also said that the company had issued a report on where the company stands from a security perspective, in what he described as a “very painful process.” He said the report will be updated every six months, when the management team are briefed on its contents.

The comments were part of an internal talk to employees during which he discussed the challenges Facebook had with keeping its networks secure, amid a growing danger of state-sponsored actors and advanced persistent threats, which in some cases have near-limitless resources.

For his part, Stamos, when reached, said that he had used the “college campus” line several times internally to describe challenges that the company faces, and used it as a figure of speech.

“My team runs network security for the company, and of course we secure it thoroughly,” he said Thursday.

Stamos denied that the comments were a criticism of the company’s management. “They care a great deal,” he said. “It’s not a criticism of anybody, just a statement of why our team needs to be creative in how we protect our corporate network.”

“Tech companies are famous for providing freedom for engineers to customize their computing environments and to experiment with new tools, frameworks and development processes,” he said. “Allowing for this freedom helps creativity and productivity, but we have to weigh that against the fact that we have become a potential target of advanced threat actors. As a result, we can’t architect our security in the same way a defense contractor can, with extremely limited computing options and no freedom.”

“Keeping the company secure while allowing the culture to blossom is a challenge, but a motivating one that I’m happy to accept,” he said.

In fairness, Stamos isn’t wrong. Facebook likely has more citizen data now than most governments, making the social network as much of a target today as defense contractors were ten years ago.

But while Facebook may not be storing plans for spy planes and autonomous drones, private citizen data is a commodity, the social network has billions of people’s data, and nation states are hungry for it.