Cybersecurity is the responsibility of everyone. Unfortunately a lot of people either do not understand their role or maliciously ignore it. I wrote an essay a few weeks back proposing mandatory training for everyone to have or use an Internet connection. This would help mitigate a number of cyber crimes. On the IT “department” side of everything, professionals should have additional, continuous training to ensure we are able to combat the ever evolving attack vectors. While industry standardized policies and procedures are a good start, the ability to easily change them is also necessary. Along with training and flexibility we have to run continual testing on our defenses. The results from the testing will allow for feedback into our policy and infrastructure road map. Testing and the feedback it provides allows us to ensure our policies do not become complacent and stale.
On a more personal note in regards to national and state cyber-policy, I find it extremely reprehensible that the individuals that make said policy are more often than not completely ignorant to the technology they are regulating. This lends them to be swayed to one side of the conversation, often with a sizable sum of compensation to persuade them that way in the first place.