Manage risk appropriately, not compliance
If it was all about compliance, we wouldn’t be hearing about the constant data breaches supposedly PCI-compliant organisations keep being subjected to. Sure, if there are compliance measures to meet and audits to pass, these need to be addressed. But the minute information security becomes more about passing audits and being compliant than managing risk, you’re in trouble. In other words, don't fall victim to check-box security syndrome.
The most important word in the title is: appropriately. Don’t put in security for the sake of it. Just because you can lock something down to the nth degree does not mean it needs to be done. Always bring it back to the question around what you’re trying to achieve. Remember, it’s about trust, brand, reputation.
Next up - Own your security.