Your legacy will not being stopping the APTs or bringing an end to ransomware, it will be to leave the nation a little bit smarter and a little more capable than it was before you got there.
You have to attack the problem at the root, and that means blood, sweat, and tears.
The best advice is holistic in nature, not a pitch that plays to your professional strengths.
We can go round and round about what’s going to drive improvements in computer security writ large, but when you boil it down it’s really only about one of and/or two things: money and bodies.
Are we really making a difference in security if we’re only solving problems that smart, rich customers can afford?
If you cannot effectively communicate how what you’re proposing makes your client a better business, your advice is going to be ignored