Start talking about threat modeling and legal defensibility.
Stop using ad hoc approaches to security architecture and solutions.
Start adopting a holistic, systemic ISMS-like approach.
Stop delegating ownership of security to IT or other non-business leadership.
Start requiring execs and the board to directly own and be responsible for security.
Stop relying on shortcuts to survive audits.
Start demonstrating actual due diligence by adopting a reasonable standard of care.
Start thinking of security as a business enabler that facilitates better decisions and helps protect the business during both the good and the bad times.