Since regulatory (and industry) compliance became a notable thing in the early-mid 2000's it has been intimately linked with information security and often times has been the lever (or hammer) by which enterprises made necessary investments in security. But being compliant and being secure aren't the same thing, and in too many cases enterprises that were perfectly compliant have been perfectly breached. A new focus is needed; one that respects that while security and compliance are not the same thing, they are working towards the same goal (a reduction in overall enterprise risk exposure) and sees that compliance flows from security.
Takeaways: