This article has some good points...

but what I liked best was the grand finale about the author blurb:

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization, and continues to have his advice ignored by CEOs, auditors and sysadmins alike.
I feel your pain. Auditing and information security is way too lax in this country. It is an esoteric topic that the end user doesn't get so it can be swept under the rug by politicians (or maybe they don't understand it either). People in organizations don't know enough about it and trust people who don't want any more work or look ignorant to do to tell them everything is just fine.