Someone on LinkedIn asked: "Is Information Security driven by compliance?" to which I say "yes and this is a problem"!
My long answer goes like this:
Getting your security sorted for the sake of compliance is wrong. It does not make any business sense. Well, not from the way I look at it. At the end of the day it does not matter whether you comply with whichever 3-4 letter acronym. What matters the most is how secure you are and from my experience compliances only create a false sense of security. The bottom line is - if you want to keep your customers and business partners in the dark then get hold of as many acronyms as possible. However, it will cost a lot of money and even more when an incident occurs. If you really care about security, then use the money to hire the best of the best to show how it is done in the real world.
This is certainly not the best answer. Follow the discussion over here. You are not going to learn anything technical but at least you will get a good idea how the majority of security professionals on LinkedIn think.
Our company's security was proudly assessed by X. Hey, you are not only going to give some good PR to your security team but you will also make them work harder and provide even better value for your money. People understand people. They do not understand 3 letter words.