Mentioning standards and security audits makes me cringe in their current state. Certainly agree with you that they'll help, but many are draconian. Things like physical access lists when you use cloud services... or policies on tape backups. :)
I'm hoping that they'll evolve toward slightly more sanity than insanity.
Some institutional laws suggest that this is wildly optimistic on my part. Security theater exists because bureaucrats and legislators want to appear to be doing something. Vendor-based solutions are mandated because vendors have political clout. Effective tools are difficult to deploy in real-world scenarios -- filled with failing devices, intermittent communications, poor training, and worse end-user understanding.
