Many of the companies also fall under other compliance mandates such as Sarbanes-Oxley (SOX), or the Gramm-Leach-Bliley Act (GLBA). It is important for companies to respect the spirit as well as the letter of the compliance requirements. Keep in mind that completing a checklist or passing an audit are not the goals of compliance. The goal is to protect sensitive data and network resources. Doing the bare minimum to scrape by on a compliance audit may leave some weaknesses that could lead to data compromise which mars the reputation of the company and is often much more costly than compliance.

3. Diligence. This is the big one. Security is a 24/7/365 full-time job. Locking down the wireless network and developing a policy prohibiting rogue networks is great, but what if someone violates the policy and deploys a rogue wireless network next week? Passing a PCI DSS compliance audit is great, but employees come and go, computer systems are provisioned and decommissioned, and new technologies are introduced to the network. Just because the network was compliant at the time of the audit doesn't mean it will still be compliant a month later.

Attackers are constantly working to expose weaknesses in network defenses. Network and security administrators have to remain just as diligent at keeping up with attack techniques and countermeasures. More importantly, you have to monitor intrusion detection and prevention system activity, firewall logs, and other data to stay alert for signs of compromise or suspicious activity. The earlier you can identify and stop an attack, the less data will be compromised and the more you will be a hero instead of a zero.

Tony Bradley is an information security and unified communications expert with more than a decade of enterprise IT experience. He tweets as and provides tips, advice and reviews on information security and unified communications technologies on his site at tonybradley.com.