Regarding what InfoSec people and CISOs should do differently to evolve/change/adapt more effectively, we could start by including some “meta-metrics” for organization learning, agility, etc.

I gave a presentation at Metricon a few years ago on this topic: “”Security Meta Metrics – Measuring Agility, Learning, and Unintended Consequences” http://meritology.com/resources/Security%20Meta%20Metrics.ppt . It includes some specific ideas for such metrics, but really almost any metric will be better than the willful ignorance that most security organizations have today about continuous learning.