1) How has IT security evolved in recent years? What are emerging trends and threats to enterprise security?
IT attacks have become more sophisticated. Malware is continually changed to render signature-based malware protection (common to most anti-virus software) of limited value. IT security now requires analysis of data from myriad sensors worldwide and big data analysis to detect new threats and determine appropriate counter-measures. This not only requires a massive sensor network, but also sophisticated analytical tools and personnel. Most businesses cannot afford this investment. For this reason
2) What can companies do to protect themselves? Why should they be on-guard? What do they have to lose?
All but the largest enterprises will need to outsource their security operations center(SOC) functions to security specialist organizations that have the sensor network and analytical resources (both personnel and tools) to analyze the large amounts of incoming data to detect patterns as well as to reverse engineer new (zero day) threats and develop solutions to defeat the them.
3) How have governments enacted legislation or regulation to protect consumers and businesses [helped or hindered security]?
The original question is incomplete. I interpret it as corrected above.
There is value to customers and partner to learn that their data may have been compromised by a breach to an enterprise they work with. But legislative data-breech disclosure requirements often compromise the ability of an enterprise to develop countermeasures without the adversary being aware that such efforts are being undertaken. The ability to conduct analysis and implement countermeasures allows the attack to be countered before the adversary learns of the counterattack and modifies his attack. While eventual disclosure should still be required, enterprises often require the flexibility to first remedy the problem before it becomes more complicated and difficult to resolve. Enterprises need the ability to work with law enforcement (such as the FBI in the US) to resolve the attack before having to publicly disclose a data breach.