In a recent PCI seminar I attended,  the speaker (who hails from the European PCI Security Council) claimed that most European businesses were in a very bad place in terms of their data security but that that the ultimate business objective is 100 percent compliance. I’ve heard similar pronouncements from industry analysts like Forrester.
This is problematic for a number of reasons, starting with the fact that it is impossible to be 100 percent compliant with this or any other standard. A business lives in a performance culture whereas regulators live in a compliance culture. Compliance does not contribute to improving business performance unless the compliance activity is used as an opportunity to improve product security and customer safety and reduce the cost of current security measures.  This is definitely the path you want to choose – forcing your compliance exercise into the same performance mold that your business values and not settling for less.
In a compliance culture

• I comply with the standard.
• I am told the standard. If I am not told, I don’t act.
• The standard is my objective.
• When I meet the standard, I am done.

In a performance culture

• My job is to take risks and deliver value by performing and executing ahead of expectations
• A standard is like a quota.  Something you want to exceed because next year it will be higher.
• Meeting a standard means little. I continuously improve.