There is an ancient proverb (largely believed to be Persian in origin) that goes a bit like this:

He who knows not and knows not that he knows not is a fool; avoid him.
He who knows not and knows that he knows not is a student; teach him.
He who knows and knows not that he knows is asleep; wake him.
He who knows and knows that he knows is a wise man; follow him.

In today's world of PCI compliance, the biggest problem many organizations have is very similar to that held by the individual in the first line - they don't know that they don't know. Let me explain my thinking here.

I've consulted with and audited a number of organizations for PCI compliance, both large and small. On the surface, the PCI standard is well-written and generally more explicit in terms of describing what you need to do to achieve compliance. However, no compliance mandate or information security guideline can help organizations fix what they don't know is broken. Particularly in large or more distributed organizations, there are some "gaps" that just don't get addressed. By and large, these aren't the "big things" - organizations know when they have undertaken a massive storage or encryption effort. Likewise, organizations know what brand of enterprise-class antivirus software they have deployed. No, the biggest headache for many organizations is not a particular technical control or product. It's the lack of a truly proactive attitude. This alone can significantly affect the overall security posture of an enterprise, and the state of PCI compliance efforts as a result

Most organizations are doing something about vulnerabilities. Patches are being monitored and deployed, some internal scans are probably run every now and then, and some degree of log monitoring is probably going on. Host-based firewalls or IDS/IPS might be deployed, well-configured images might be the standard, and so on. However, things change. People miss that one box when patching. The new Windows co-op might have screwed up the configuration. Would you know? When's the last time you performed an assessment

I'm a firm believer in the notion of "continuous assessment" for a few reasons. First, over a period of time, this mentality offers companies the best chance to develop a sound and measurable baseline of activity in their environments. This baseline is then monitored constantly - you know those kids' puzzles with the two identical pictures that ask you to "spot what's wrong" in the second one? Right, of course you do. Well, that would be an impossible puzzle without the first picture, wouldn't it? Yep - that would be one seriously frustrating puzzle, alright.

The second major reason I believe in the notion of continual assessment is straightforward - based on my experience I can vouch for it because it works. There, it's that simple. By being proactive, and learning a) what you have, b) how it's configured, and c) when something changes, you can create a truly effective security regimen that is much easier to monitor and maintain. So many people think that running a vulnerability scanner means clicking a button on a scanner, coming back 10 hours later and printing out the 478-page PDF file that now tells you exactly what is wrong in every nook and cranny of your infrastructure. That's a bit old-school: the new breed of tools can assess a LOT of things with a more automated approach, all of which can tie to a solid security program and a sound PCI compliance strategy. Here's a few:

Determining whether your patch management program is effective
Determining whether your hardening standards and guidelines are effective and being followed
Determining whether you already have an intrusion that needs to be dealt with
Determining whether corporate-wide security policies are being adhered to
Learning quickly when new systems come online, or when existing systems change in some way
Learning whether unencrypted protocols and services are in use
And on and on...

Continually assessing risks and exposures and discovering vulnerabilities is a program worth establishing. By learning what your issues are, fixing them, then continually assessing your own environment, you will quickly find that you are not a fool at all - you might just be on your way to being a wise person.