Implementing IdM is not a single project. Nor is it even a few stand-alone projects. I call it a continuum.I also mentioned others who called Identity Management a lifestyle. Compliance should be thought of in the same way. When a company aligns IT with good security practices and lives it on a daily basis, compliance happens by default. If you try to shift an entire organization into information security compliance to meet a particular audit or react to a breach, you're going to have your work cut out for you. And you're going to feel like a mouse in a wheel never quite catching up to where you want to be.
The paper encourages organizations to "adopt a culture of continuous risk management". It's worth a read for organizations who want to understand how to achieve some level of compliance -- or maybe just to minimize their overall level of risk.
In Dave Kearns' Network World newsletter today, he mentions an old truism that you should "make the cost of pilfering an asset higher than its value while keeping the cost of protecting the asset lower than the cost of replacing it." There's some truth to that -- it's a juggling act. Luckily, good security practices span across assets making the cost of security minimal on a per-asset basis. But, I think Dave's point fits nicely with the ideas above. Getting your organization into a culture of compliance will enable you to balance cost with risk and make your long-term security costs more predictable. And when regulations and compliance rules change, you'll be ready.