Network world posed the question to two security experts: Is it better to focus on compliance issues and assume that will make you secure, or to focus on risk and assume that will make you compliant? Not surprisingly, they agreed on the answer: both are important, but simply complying with rules and regulations are not enough to protect you.
Read more here:
http://www.networkworld.com/news/2013/042213-viewpoint-security-268777.html